Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting malicious index URLs through unsanitized environment variables.
AnalysisAI
OpenClaw before version 2026.3.31 allows local authenticated attackers to redirect Python package-index traffic by injecting malicious URLs through unsanitized PIP_INDEX_URL and UV_INDEX_URL environment variables, enabling interception or manipulation of package management operations. The vulnerability requires local access and authentication but can result in high integrity impact through compromised package delivery. No active exploitation has been publicly confirmed, but the attack surface is direct and the remediation is straightforward.
Technical ContextAI
OpenClaw fails to properly sanitize environment variables commonly used by Python package managers (pip and uv) to specify custom package index URLs. These variables (PIP_INDEX_URL and UV_INDEX_URL) control where the package manager retrieves Python packages during installation or dependency resolution. The root cause is classified as CWE-184 (Improper Neutralization of Characters in an OS Command), indicating that unsanitized user-controllable input is passed to package management operations without validation. This allows an authenticated local user to set or override these environment variables with attacker-controlled URLs, redirecting all package traffic to a malicious index server where packages can be replaced with compromised versions. The vulnerability exists in the host execution context where OpenClaw invokes package managers.
RemediationAI
Upgrade OpenClaw to version 2026.3.31 or later. The vendor has released a patched version confirmed via the GitHub commit 7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d (referenced in the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v). The upstream fix properly sanitizes PIP_INDEX_URL and UV_INDEX_URL environment variables before passing them to package manager invocations. As a temporary compensating control for environments where immediate upgrade is not feasible, restrict the ability of unprivileged local users to set arbitrary environment variables in the execution context where OpenClaw runs - for example, by using OS-level restrictions (AppArmor, SELinux) to deny modification of package-manager-related environment variables, or by running OpenClaw in isolated execution containers with a fixed, trusted environment. Note that these controls may interfere with legitimate use cases where environment customization is required for proxy or mirror configurations, so validate the business impact before deployment.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26099
GHSA-7ggg-pvrf-458v