CVE-2026-34426
HIGHOpenClaw - Approval Bypass via Environment Variable Normalization
Title source: cnaDescription
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.
Scores
CVSS v3
7.6
EPSS
0.0004
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-184
Status
published
Products (3)
npm/openclaw
0 - 2026.3.22npm
openclaw/openclaw
< 2026.4.2
OpenClaw/OpenClaw
< b57b680c0c34de907d57f60c38fb358e82aef8f7
Published
Apr 02, 2026
Tracked Since
Apr 03, 2026