High severity7.8NVD Advisory· Published Apr 28, 2026· Updated Apr 30, 2026
CVE-2026-41387
CVE-2026-41387
Description
OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.22 | 2026.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-j7p2-qcwm-94v4ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-j7p2-qcwm-94v4nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41387ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-supply-chain-redirection-via-incomplete-host-environment-sanitizationnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232ghsaWEB
- github.com/openclaw/openclaw/releases/tag/v2026.3.22ghsaWEB
News mentions
0No linked articles in our index yet.