Skip to main content

OpenClaw EUVDEUVD-2026-29148

| CVE-2026-45003 MEDIUM
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-05-11 VulnCheck GHSA-5jgm-f9wr-9qm7
4.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
CVSS changed
May 11, 2026 - 18:22 NVD
5.0 (MEDIUM) 4.1 (MEDIUM)
Source Code Evidence Fetched
May 11, 2026 - 17:48 vuln.today
Analysis Generated
May 11, 2026 - 17:48 vuln.today
CVE Published
May 11, 2026 - 16:46 nvd
MEDIUM 5.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.22.

DescriptionCVE.org

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.

AnalysisAI

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors, enabling local attackers with workspace access to redirect runtime traffic to malicious endpoints. The vulnerability requires local access and user interaction but allows high confidentiality impact through traffic interception. No active exploitation has been identified, but a vendor-released patch is available.

Technical ContextAI

OpenClaw uses dotenv files to manage environment configuration for bundled connectors that integrate with Matrix, Mattermost, IRC, and Synology endpoints. The vulnerability exists in the workspace dotenv loading mechanism (loadWorkspaceDotEnvFile function in src/infra/dotenv.ts), which failed to block sensitive endpoint-related environment variables. An attacker with workspace file access could craft a .env file containing variables like MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, SYNOLOGY_CHAT_INCOMING_URL, SYNOLOGY_NAS_HOST, or per-account Matrix homeserver suffixes (MATRIX_<ACCOUNT>_HOMESERVER) to override the operator-configured endpoints. The root cause (CWE-441: Unintended Proxy or Intermediary) stems from insufficient input validation and lack of blocklist enforcement in the dotenv loader. The fix implements a blocklist (BLOCKED_WORKSPACE_DOTENV_KEYS and BLOCKED_WORKSPACE_DOTENV_SUFFIXES) that prevents workspace .env files from overriding these critical connector configuration values while allowing trusted global runtime dotenv loading to remain separate.

RemediationAI

Vendor-released patch: upgrade to OpenClaw 2026.4.22 or later. The patch is published on npm and the compiled package contains the fix (commit 0623079e98abf7202591f1b04a89755eb7ec9272 is contained in the v2026.4.22 release tag). For deployments unable to upgrade immediately, restrict write access to workspace .env files to trusted administrators only - prevent untrusted users and automated processes from modifying or committing .env files into shared workspaces. Additionally, audit existing .env files in all workspaces for the presence of suspicious endpoint variables (MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, SYNOLOGY_CHAT_INCOMING_URL, SYNOLOGY_NAS_HOST, or *_HOMESERVER patterns) and verify that connector traffic is reaching the intended endpoints rather than attacker-controlled hosts. The patch blocks these variables at load time, but compensating controls depend on enforcing file-level access controls and monitoring endpoint configurations.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

EUVD-2026-29148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy