CVE-2026-41384
8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenClaw | OpenClaw | 0 < 2026.3.24 | affected |
| OpenClaw | OpenClaw | 2026.3.24 | unaffected |
Weaknesses
- CWE-15: CWE-15: External Control of System or Configuration Setting
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg
- https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24
- https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.