Description
OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. Attackers can supply blocked or malformed override keys that slip through inconsistent validation to execute arbitrary code with unintended environment variables.
Published: 2026-04-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions before 2026.3.22 contain an inconsistency in the sanitization of environment variable overrides. Attackers can craft blocked or malformed override keys that slip through the validation logic, allowing them to inject arbitrary environment variables. When these overridden variables are applied during server execution, they enable the attacker to execute arbitrary code within the OpenClaw process context, compromising confidentiality, integrity, and availability of the host system.

Affected Systems

The vulnerability affects the OpenClaw application, distributed as the product OpenClaw. All installations running any release prior to 2026.3.22 are susceptible. The issue is present in the Node.js based deployment of the software where environment variables are parsed during startup.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity impact. No EPSS score is publicly available, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be remote because an attacker can influence environment variable overrides through external interfaces such as configuration files, API endpoints, or deployment scripts. Successful exploitation would allow arbitrary code execution with the privileges of the running OpenClaw process.

Generated by OpenCVE AI on April 10, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the update to OpenClaw version 2026.3.22 or later, which removes the inconsistent sanitization flaw.
  • Verify that any environment variable override functionality is disabled or properly validated according to the vendor’s policy.
  • If an upgrade cannot be performed immediately, limit the use of environment variable overrides and monitor system logs for anomalous variable assignments.

Generated by OpenCVE AI on April 10, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-39pp-xp36-q6mg OpenClaw has Inconsistent Host Exec Environment Override Sanitization
History

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. Attackers can supply blocked or malformed override keys that slip through inconsistent validation to execute arbitrary code with unintended environment variables.
Title OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-15
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-10T18:22:40.750Z

Reserved: 2026-04-04T12:31:23.534Z

Link: CVE-2026-35650

cve-icon Vulnrichment

Updated: 2026-04-10T18:22:36.351Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:05.627

Modified: 2026-04-13T20:46:42.373

Link: CVE-2026-35650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:54Z

Weaknesses