Description
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.
Published: 2026-05-11
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before 2026.4.22 permits users with workspace access to manipulate dotenv files, allowing them to override the endpoint hosts for built‑in connectors such as Matrix, Mattermost, IRC, and Synology. By setting custom endpoint variables, an attacker can redirect traffic that the application sends to these connectors to arbitrary malicious servers, potentially capturing or tampering with the data transmitted to or from these services. The vulnerability is a configuration‑based weakness (CWE-441). The impacted systems may therefore expose sensitive information or allow further compromise of downstream services even though the application itself is not directly compromised.

Affected Systems

The affected product is OpenClaw as distributed before version 2026.4.22. Any deployment using the Matrix, Mattermost, IRC, or Synology connectors is susceptible, provided the attacker can modify or add dotenv files within the workspace. No additional vendor or model information is available beyond the OpenClaw product name.

Risk and Exploitability

The CVSS score of 4.1 indicates a moderate impact level. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker with the ability to write workspace dotenv files can configure the application to point the connectors at an attacker‑controlled endpoint. The scope is limited to users who have workspace access, so the risk is mitigated if strict access controls are in place, but it remains a concern if any untrusted user can modify these files.

Generated by OpenCVE AI on May 11, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.4.22 or later
  • Restrict write permissions on workspace dotenv files to trusted administrators
  • Verify connector endpoint configurations to ensure no unauthorized overrides
  • Monitor outbound connector traffic for abnormal destinations

Generated by OpenCVE AI on May 11, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.
Title OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-441
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T17:25:09.458Z

Reserved: 2026-05-08T16:43:53.068Z

Link: CVE-2026-45003

cve-icon Vulnrichment

Updated: 2026-05-11T17:25:06.209Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:40.523

Modified: 2026-05-12T14:20:56.547

Link: CVE-2026-45003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses