Skip to content
CVSS 7.8 · HIGH

CVE-2026-41384

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

Ver en NVD

Análisis

OpenClaw is a niche open-source project with very limited adoption in professional web, mobile, or backend development. The vulnerability involves RCE through malicious configuration files, which is a significant bug but lacks the reach to justify a community-wide alert.

Severidad

Puntaje: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-15

EPSS

Probabilidad de explotación (próx. 30 días): 0.0001 (0.0%)
Percentil: 2.8%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.

Publicada: 28/4/2026, 19:37:41
Última modificación: 1/5/2026, 15:52:11

Referencias

InicioEventosBlogRecursosEquipo