High severity7.8NVD Advisory· Published Apr 28, 2026· Updated May 1, 2026
CVE-2026-41384
CVE-2026-41384
Description
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.24 | 2026.3.24 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24nvdPatchWEB
- github.com/advisories/GHSA-vfw7-6rhc-6xxgghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxgnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41384ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backendnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.