CVE-2026-41384

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.8 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H                                    

Vulnerability Description

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

Vulnerability Details

Published Date

April 28, 2026

Last Modified

April 28, 2026

CWE ID

CWE-15

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24
https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg
https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend

CVE-2026-41384

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment