CVE-2026-42427

Summary

OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.4.8affected
OpenClawOpenClaw2026.4.8unaffected

Weaknesses

  • CWE-184: CWE-184: Incomplete List of Disallowed Inputs

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References