High severity7.8NVD Advisory· Published May 6, 2026· Updated May 7, 2026
CVE-2026-44114
CVE-2026-44114
Description
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.20 | 2026.4.20 |
Affected products
2Patches
1018494fa3ebbfix(dotenv): reserve workspace OPENCLAW env namespace (#69376)
3 files changed · +8 −0
CHANGELOG.md+1 −0 modified@@ -17,6 +17,7 @@ Docs: https://docs.openclaw.ai - BlueBubbles: raise the outbound `/api/v1/message/text` send timeout default from 10s to 30s, and add a configurable `channels.bluebubbles.sendTimeoutMs` (also per-account) so macOS 26 setups where Private API iMessage sends stall for 60+ seconds no longer silently lose messages at the 10s abort. Probes, chat lookups, and health checks keep the shorter 10s default. Fixes #67486. (#69193) Thanks @omarshahine. - Context engine/plugins: stop rejecting third-party context engines whose `info.id` differs from the registered plugin slot id. The strict-match contract added in 2026.4.14 broke `lossless-claw` and other plugins whose internal engine id does not equal the slot id they are registered under, producing repeated `info.id must match registered id` lane failures on every turn. Fixes #66601. (#66678) Thanks @GodsBoy. - Agents/compaction: rename embedded Pi compaction lifecycle events to `compaction_start` / `compaction_end` so OpenClaw stays aligned with `pi-coding-agent` 0.66.1 event naming. (#67713) Thanks @mpz4life. +- Security/dotenv: block all `OPENCLAW_*` keys from untrusted workspace `.env` files so workspace-local env loading fails closed for new runtime-control variables instead of silently inheriting them. (#473) ## 2026.4.20
src/infra/dotenv.test.ts+4 −0 modified@@ -607,6 +607,10 @@ describe("workspace .env blocklist completeness", () => { await withIsolatedEnvAndCwd(async () => { await withDotEnvFixture(async ({ cwdDir }) => { const runtimeControlKeys = [ + "OPENCLAW_GIT_DIR", + "OPENCLAW_WORKSPACE_DIR", + "OPENCLAW_MDNS_HOSTNAME", + "OPENCLAW_SESSION_CACHE_TTL_MS", "OPENCLAW_UPDATE_PACKAGE_SPEC", "OPENCLAW_GATEWAY_PORT", "OPENCLAW_GATEWAY_URL",
src/infra/dotenv.ts+3 −0 modified@@ -75,6 +75,9 @@ const BLOCKED_WORKSPACE_DOTENV_PREFIXES = [ "ANTHROPIC_API_KEY_", "CLAWHUB_", "OPENAI_API_KEY_", + // Workspace .env is untrusted; reserve the full OpenClaw runtime namespace + // for shell/global config so new OPENCLAW_* controls are fail-closed by default. + "OPENCLAW_", "OPENCLAW_CLAWHUB_", "OPENCLAW_DISABLE_", "OPENCLAW_SKIP_",
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6nvdPatchWEB
- github.com/advisories/GHSA-hxvm-xjvf-93f3ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44114ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenvnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.