Skip to content
CVSS 7.8 · HIGH

CVE-2026-44114

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.

View on NVD

Analysis

OpenClaw is susceptible to environment variable injection through malicious workspace dotenv files, which could allow an attacker to manipulate runtime behaviors like git directories. While the vulnerability is high severity, OpenClaw is not a core piece of infrastructure or a widely used tool within the standard web and mobile development ecosystem.

Severity

Score: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-184

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.

Published: 5/6/2026, 8:16:35 PM
Last modified: 5/6/2026, 9:20:52 PM

References

HomeEventsBlogResourcesTeam