Home

Description

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-28 | Updated 2026-04-29 | Assigner VulnCheck




HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-15: External Control of System or Configuration Setting

Product status

Default status
unaffected

Any version before 2026.3.24
affected

2026.3.24 (semver)
unaffected

Credits

Edward-x (@YLChen-007) reporter

References

github.com/...enclaw/security/advisories/GHSA-vfw7-6rhc-6xxg (GitHub Security Advisory (GHSA-vfw7-6rhc-6xxg)) vendor-advisory

github.com/...ommit/c2fb7f1948c3226732a630256b5179a60664ec24 (Patch Commit) patch

www.vulncheck.com/...ion-via-workspace-config-in-cli-backend (VulnCheck Advisory: OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend) third-party-advisory

cve.org (CVE-2026-41384)

nvd.nist.gov (CVE-2026-41384)

Download JSON