CVE-2026-41369
MEDIUMOpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution
Title source: cnaDescription
OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-cg7q-fg22-4g98)
https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution
https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution
Scores
CVSS v3
6.5
EPSS
0.0031
EPSS Percentile
22.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-668
Status
published
Products (4)
npm/openclaw
0 - 2026.3.31npm
OpenClaw/OpenClaw
< 2026.3.31
openclaw/openclaw
< 2026.3.31
OpenClaw/OpenClaw
2026.3.31
Published
Apr 28, 2026
Tracked Since
Apr 28, 2026