CVE-2026-43531

Summary

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.4.9affected
OpenClawOpenClaw2026.4.9unaffected

Weaknesses

  • CWE-15: CWE-15: External Control of System or Configuration Setting

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References