Skip to content
CVSS 7.8 · HIGH

CVE-2026-41387

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

View on NVD

Analysis

OpenClaw is a specialized host security tool for environment sanitization that is not widely used in the common development stack. The vulnerability allows attackers to redirect package resolution to malicious infrastructure, but the impact is limited to environments already running this specific niche tool and requires approved exec requests to trigger.

Severity

Score: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-183

EPSS

Probability of exploitation (next 30 days): 0.0002 (0.0%)
Percentile: 5.2%
EPSS: 2026-05-06

Affects

openclaw:openclaw

Technical description

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

Published: 4/28/2026, 7:37:41 PM
Last modified: 4/30/2026, 8:36:10 PM

References

HomeEventsBlogResourcesTeam