Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.22.
DescriptionCVE.org
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.
AnalysisAI
OpenClaw prior to commit b57b680 allows authenticated users to bypass the approval system by exploiting inconsistent environment variable normalization between approval validation and execution paths. An attacker with low privileges can inject non-portable environment variable keys that are filtered during operator review but accepted at runtime, potentially enabling execution of attacker-controlled binaries. This vulnerability has a CVSS score of 6.9 (medium-high impact) and requires user interaction but affects the integrity of the approval workflow.
Technical ContextAI
The vulnerability stems from CWE-184 (Inconsistent Use of Validation Logic), where OpenClaw's approval mechanism and execution engine normalize environment variables differently. During approval processing, the system discards keys that do not conform to portable naming conventions, allowing these keys to pass through the approval gate without operator scrutiny. However, the execution path accepts these same non-portable keys, creating a semantic gap that allows attacker-controlled environment variables to influence runtime behavior. Environment variable injection is a well-known attack vector for privilege escalation and arbitrary code execution in systems that spawn child processes or execute binaries. The affected product is OpenClaw, a workflow automation or orchestration tool, as identified by CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. All versions prior to commit b57b680c0c34de907d57f60c38fb358e82aef8f7 are affected.
RemediationAI
The vendor has released a fix via commit b57b680c0c34de907d57f60c38fb358e82aef8f7 (https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7), which addresses the inconsistent normalization logic. Users should upgrade to a version that includes this commit or later. The GitHub pull request (https://github.com/openclaw/openclaw/pull/59182) provides additional context and may contain implementation details. Consult the official GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-34426 for deployment guidance. As a temporary control, restrict approval bypass permissions to highly trusted users and monitor environment variable injection attempts in execution logs until the patch is applied.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18491