Skip to main content

OpenClaw CVE-2026-41369

HIGH
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-28 disclosure@vulncheck.com
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 16:37 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 00:31 vuln.today
Analysis Generated
Apr 28, 2026 - 00:22 vuln.today
CVE Published
Apr 28, 2026 - 00:16 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.31.

DescriptionCVE.org

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.

AnalysisAI

Environment variable injection in OpenClaw (pre-2026.3.31) allows authenticated remote attackers to compromise host execution integrity by injecting malicious variables that override package managers, Docker registries, compiler paths, and TLS configurations during host exec operations. The vulnerability exhibits high confidentiality impact (CVSS:4.0 VC:H) with network attack vector and low complexity (AV:N/AC:L), requiring only low-privilege authentication (PR:L). VulnCheck disclosure indicates this affects Docker-related operations, with fixes available via GitHub commit eb8de67 and tracked under GHSA-cg7q-fg22-4g98. EPSS and KEV data not available at time of analysis.

Technical ContextAI

OpenClaw's host execution component (CWE-668: Exposure of Resource to Wrong Sphere) fails to properly sanitize environment variables before executing commands on the host system. The vulnerability specifically targets variables controlling critical system dependencies: package manager configuration (NPM_CONFIG_*, PIP_*, etc.), container registry endpoints (DOCKER_REGISTRY, REGISTRY_AUTH), compiler toolchain paths (CC, CXX, PATH), and TLS/SSL certificate validation settings (SSL_CERT_FILE, REQUESTS_CA_BUNDLE, NODE_TLS_REJECT_UNAUTHORIZED). When OpenClaw performs host exec operations, it inherits or processes user-controlled environment variables without adequate filtering, allowing attackers to redirect dependency resolution to malicious sources, disable certificate validation, or execute attacker-controlled binaries. This is particularly critical in containerized environments where Docker and registry configurations can be hijacked to pull malicious images or leak credentials.

RemediationAI

Upgrade to OpenClaw version 2026.3.31 or later, which implements proper environment variable sanitization for host exec operations per commit eb8de6715f02949c21c4e895fffc8a6dcb00975c available at https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c. The patch adds filtering for package manager variables (NPM_CONFIG_*, PIP_INDEX_URL, etc.), registry configurations (DOCKER_REGISTRY, REGISTRY_AUTH_FILE), compiler paths (CC, CXX, LD_LIBRARY_PATH), and TLS override variables (SSL_CERT_FILE, NODE_TLS_REJECT_UNAUTHORIZED, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE). If immediate patching is not feasible, implement these compensating controls: (1) Restrict OpenClaw host exec operations to trusted administrative users only - remove PR:L access for untrusted accounts, trading reduced functionality for attack surface reduction; (2) Run OpenClaw processes in isolated containers with read-only root filesystems and explicit environment variable allowlists via seccomp/AppArmor profiles, which adds operational complexity but prevents variable injection at the container runtime level; (3) Monitor and alert on unexpected environment variable patterns in OpenClaw logs, particularly TLS_REJECT_UNAUTHORIZED=0 or non-standard registry URLs, though this provides detection rather than prevention. Consult VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution for additional context.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-41369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy