CVE-2026-41384
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
CVSS Score
7.8
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.
| CWE | CWE-15 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Apr 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new high vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
OpenClaw / OpenClaw
0 < 2026.3.24
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg github.com: https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend
Credits
๐ Edward-x (@YLChen-007)