High severity7.6NVD Advisory· Published Apr 2, 2026· Updated Apr 6, 2026
CVE-2026-34426
CVE-2026-34426
Description
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.22 | 2026.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
9- github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7nvdPatchWEB
- github.com/openclaw/openclaw/pull/59182nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-h3x4-hc5v-v2gmghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47nvdVendor Advisory
- nvd.nist.gov/vuln/detail/CVE-2026-34426ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-approval-bypass-via-environment-variable-normalizationnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/commit/4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5ghsaWEB
- github.com/openclaw/openclaw/commit/93880717f1cd34feaa45e74e939b7a5256288901ghsaWEB
- github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gmghsaWEB
News mentions
0No linked articles in our index yet.