CVE-2026-41369

MEDIUM

OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution

Title source: cna

Description

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98

[Patch] https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-668

Status published

Products (3)

OpenClaw/OpenClaw < 2026.3.31

openclaw/openclaw < 2026.3.31

OpenClaw/OpenClaw 2026.3.31

Published Apr 28, 2026

Tracked Since Apr 28, 2026