Which versions of OpenClaw are affected by CVE-2026-41387?

OpenClaw package manager versions prior to 2026.3.22 contain an environment variable injection vulnerability that allows local attackers to redirect package installations to malicious sources,…. A patch is available.

OpenClaw CVE-2026-41387

Q: What is the CVSS score of CVE-2026-41387?

CVE-2026-41387 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26096 HIGH

Permissive List of Allowed Inputs (CWE-183)

2026-04-28 VulnCheck

GHSA-j7p2-qcwm-94v4

Information Disclosure

8.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch released

Apr 30, 2026 - 20:36 nvd

Patch available

Apr 28, 2026 - 21:01 EUVD

Re-analysis Queued

Apr 28, 2026 - 20:23 vuln.today

cvss_changed

Analysis Generated

Apr 28, 2026 - 20:03 vuln.today

CVSS changed

Apr 28, 2026 - 19:52 NVD

7.8 (HIGH) 8.5 (HIGH)

EUVD ID Assigned

Apr 28, 2026 - 19:30 euvd

EUVD-2026-26096

Analysis Generated

Apr 28, 2026 - 19:30 vuln.today

CVE Published

Apr 28, 2026 - 18:09 nvd

HIGH 8.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

5 npm packages depend on openclaw (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.22.

DescriptionNVD

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

AnalysisAI

OpenClaw package manager allows supply chain attacks through incomplete environment variable sanitization before version 2026.3.22. Attackers can hijack approved package installation or execution requests by injecting environment variables that redirect package resolution to malicious infrastructure, enabling trojanized code execution with high impact to confidentiality, integrity, and availability. …

RemediationAI

Within 24 hours: Identify all systems running OpenClaw package manager and document current version inventory. Within 7 days: Contact OpenClaw vendor for patch availability timeline and interim guidance; implement file integrity monitoring on package installation directories. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41387 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-41387

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-41387

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code