Home

Description

OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.

PUBLISHED Reserved 2026-03-27 | Published 2026-04-02 | Updated 2026-04-03 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

Problem types

CWE-184 Incomplete List of Disallowed Inputs

Product status

Default status
unaffected

Any version before b57b680c0c34de907d57f60c38fb358e82aef8f7
affected

Credits

Zhijie Zhang reporter

References

github.com/...enclaw/security/advisories/GHSA-98ch-45wp-ch47 (GitHub Security Advisory (GHSA-h3x4-hc5v-v2gm)) vendor-advisory

github.com/openclaw/openclaw/pull/59182 (Patch Commit #1) issue-tracking

github.com/...ommit/b57b680c0c34de907d57f60c38fb358e82aef8f7 patch

www.vulncheck.com/...-via-environment-variable-normalization third-party-advisory

cve.org (CVE-2026-34426)

nvd.nist.gov (CVE-2026-34426)

Download JSON