CVE-2026-41369

MEDIUM 6.5

OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.

CWE	CWE-668
Vendor	openclaw
Product	openclaw
Published	Apr 27, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.3.31

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98 github.com: https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c vulncheck.com: https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution

Credits

🔍 tdjackey