CVE-2026-41384
HIGHOpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
Title source: cnaDescription
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-vfw7-6rhc-6xxg)
https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend
Scores
CVSS v3
7.8
EPSS
0.0014
EPSS Percentile
3.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-15
Status
published
Products (4)
npm/openclaw
0 - 2026.3.24npm
OpenClaw/OpenClaw
< 2026.3.24
openclaw/openclaw
< 2026.3.24
OpenClaw/OpenClaw
2026.3.24
Published
Apr 28, 2026
Tracked Since
Apr 29, 2026