CVE-2026-42427

MEDIUM

OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.

References (3)

Scores

CVSS v3 5.3
EPSS 0.0003
EPSS Percentile 7.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-184
Status published
Products (2)
OpenClaw/OpenClaw < 2026.4.8
OpenClaw/OpenClaw 2026.4.8
Published Apr 28, 2026
Tracked Since Apr 29, 2026