CVE-2026-41384

HIGH

OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

Title source: cna

Description

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg

[Patch] https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 2.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-15

Status published

Products (2)

OpenClaw/OpenClaw < 2026.3.24

OpenClaw/OpenClaw 2026.3.24

Published Apr 28, 2026

Tracked Since Apr 29, 2026