Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.22.
DescriptionCVE.org
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.
AnalysisAI
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors, enabling local attackers with workspace access to redirect runtime traffic to malicious endpoints. The vulnerability requires local access and user interaction but allows high confidentiality impact through traffic interception. No active exploitation has been identified, but a vendor-released patch is available.
Technical ContextAI
OpenClaw uses dotenv files to manage environment configuration for bundled connectors that integrate with Matrix, Mattermost, IRC, and Synology endpoints. The vulnerability exists in the workspace dotenv loading mechanism (loadWorkspaceDotEnvFile function in src/infra/dotenv.ts), which failed to block sensitive endpoint-related environment variables. An attacker with workspace file access could craft a .env file containing variables like MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, SYNOLOGY_CHAT_INCOMING_URL, SYNOLOGY_NAS_HOST, or per-account Matrix homeserver suffixes (MATRIX_<ACCOUNT>_HOMESERVER) to override the operator-configured endpoints. The root cause (CWE-441: Unintended Proxy or Intermediary) stems from insufficient input validation and lack of blocklist enforcement in the dotenv loader. The fix implements a blocklist (BLOCKED_WORKSPACE_DOTENV_KEYS and BLOCKED_WORKSPACE_DOTENV_SUFFIXES) that prevents workspace .env files from overriding these critical connector configuration values while allowing trusted global runtime dotenv loading to remain separate.
RemediationAI
Vendor-released patch: upgrade to OpenClaw 2026.4.22 or later. The patch is published on npm and the compiled package contains the fix (commit 0623079e98abf7202591f1b04a89755eb7ec9272 is contained in the v2026.4.22 release tag). For deployments unable to upgrade immediately, restrict write access to workspace .env files to trusted administrators only - prevent untrusted users and automated processes from modifying or committing .env files into shared workspaces. Additionally, audit existing .env files in all workspaces for the presence of suspicious endpoint variables (MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, SYNOLOGY_CHAT_INCOMING_URL, SYNOLOGY_NAS_HOST, or *_HOMESERVER patterns) and verify that connector traffic is reaching the intended endpoints rather than attacker-controlled hosts. The patch blocks these variables at load time, but compensating controls depend on enforcing file-level access controls and monitoring endpoint configurations.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29148
GHSA-5jgm-f9wr-9qm7