Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.24.
DescriptionCVE.org
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.
AnalysisAI
Environment variable injection in OpenClaw's CLI backend runner enables local attackers to achieve arbitrary code execution or exfiltrate sensitive data by manipulating workspace configuration files. Attackers with the ability to supply malicious workspace configs can inject environment variables into backend processes during spawning, exploiting CWE-15 (external control of system or configuration setting). Vendor patch available via GitHub commit c2fb7f1. CVSS 8.5 reflects high impact across confidentiality, integrity, and availability, though exploitation requires local access and user interaction to load the malicious workspace config. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-15 (External Control of System or Configuration Setting) in OpenClaw's command-line interface backend runner. The affected component (cpe:2.3:a:openclaw:openclaw) fails to sanitize or validate environment variable inputs derived from workspace configuration files before spawning backend processes. Environment variable injection is a class of attack where untrusted input controls process environment variables, which can then influence program behavior, library loading paths (LD_PRELOAD, PATH manipulation), or configuration settings. In CLI tools that spawn subprocesses, injected environment variables can alter execution flow, load malicious shared libraries, or leak credentials through modified logging/debugging variables. The CVSS 4.0 vector indicates local attack vector (AV:L) with low complexity (AC:L) but requires user interaction (UI:P) to load the crafted workspace configuration, suggesting the victim must explicitly open or import a malicious workspace file.
RemediationAI
Upgrade to OpenClaw version 2026.3.24 or later, which includes the fix committed in GitHub commit c2fb7f1948c3226732a630256b5179a60664ec24 (https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24). Review the vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg for upgrade instructions and additional context. If immediate patching is not feasible, implement compensating controls: restrict workspace configuration files to trusted internal sources only, implement file integrity monitoring on workspace config directories, and educate users to never load workspace configs from external or untrusted parties. Consider running OpenClaw CLI processes in sandboxed environments (containers, VMs) with restricted environment variable inheritance to limit blast radius of potential exploitation. Trade-off: sandboxing may break legitimate workflows that depend on specific environment variables; test thoroughly before production deployment. Review audit logs for unexpected workspace config loads or backend process spawns with anomalous environment variables.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26093
GHSA-vfw7-6rhc-6xxg