Description
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.
Problem types
Incomplete List of Disallowed Inputs
Product status
Any version before 2026.5.28
Credits
Harish Kolla (GitHub: Har1sh-k)
References
github.com/...enclaw/security/advisories/GHSA-4pqj-3c56-5fqq (GitHub Security Advisory (GHSA-4pqj-3c56-5fqq))
www.vulncheck.com/...ial-override-via-workspace-dotenv-files