Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-41294

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-20 Apr, 2026 | 23:08
Updated At-21 Apr, 2026 | 13:04
Rejected At-
Credits

OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:20 Apr, 2026 | 23:08
Updated At:21 Apr, 2026 | 13:04
Rejected At:
â–¼CVE Numbering Authority (CNA)
OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup.

Affected Products
Vendor
OpenClawOpenClaw
Product
OpenClaw
Default Status
unaffected
Versions
Affected
  • From 0 before 2026.3.28 (semver)
Unaffected
  • 2026.3.28 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-15CWE-15: External Control of System or Configuration Setting
Type: CWE
CWE ID: CWE-15
Description: CWE-15: External Control of System or Configuration Setting
Metrics
VersionBase scoreBase severityVector
4.08.5HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.18.6HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
tdjackey
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq
vendor-advisory
https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file
third-party-advisory
Hyperlink: https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq
Resource:
vendor-advisory
Hyperlink: https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file
Resource:
third-party-advisory
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:21 Apr, 2026 | 00:16
Updated At:27 Apr, 2026 | 15:07

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.5HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.18.6HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CPE Matches
OpenClaw
openclaw
>>openclaw>>Versions before 2026.3.28(exclusive)
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-15Primarydisclosure@vulncheck.com
CWE ID: CWE-15
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqqdisclosure@vulncheck.com
Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-filedisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq
Source: disclosure@vulncheck.com
Resource:
Vendor Advisory
Hyperlink: https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

9Records found
CVE-2026-41384
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-0.01% / 2.76%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 18:09
Updated-01 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-15
External Control of System or Configuration Setting
CVE-2026-41387
Matching Score-8
Assigner-VulnCheck
ShareView Details
Matching Score-8
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-0.02% / 5.22%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 18:09
Updated-30 Apr, 2026 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-183
Permissive List of Allowed Inputs
CVE-2026-41396
Matching Score-8
Assigner-VulnCheck
ShareView Details
Matching Score-8
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-0.01% / 2.03%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 18:09
Updated-30 Apr, 2026 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-41295
Matching Score-8
Assigner-VulnCheck
ShareView Details
Matching Score-8
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-0.01% / 2.76%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 23:08
Updated-27 Apr, 2026 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-41336
Matching Score-8
Assigner-VulnCheck
ShareView Details
Matching Score-8
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-0.01% / 2.76%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 21:57
Updated-28 Apr, 2026 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-44114
Matching Score-8
Assigner-VulnCheck
ShareView Details
Matching Score-8
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-Not Assigned
Published-06 May, 2026 | 19:49
Updated-07 May, 2026 | 17:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CVE-2026-35650
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.7||HIGH
EPSS-0.07% / 21.30%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 16:03
Updated-13 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization

OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. Attackers can supply blocked or malformed override keys that slip through inconsistent validation to execute arbitrary code with unintended environment variables.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-15
External Control of System or Configuration Setting
CVE-2026-43531
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7||HIGH
EPSS-0.01% / 1.66%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 11:25
Updated-07 May, 2026 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-15
External Control of System or Configuration Setting
CVE-2026-22177
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 6.97%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 01:34
Updated-08 Apr, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars

OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-15
External Control of System or Configuration Setting
Details not found