Skip to content
CVSS 7.8 · HIGH

CVE-2026-41387

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

Ver en NVD

Análisis

OpenClaw is a specialized host security tool for environment sanitization that is not widely used in the common development stack. The vulnerability allows attackers to redirect package resolution to malicious infrastructure, but the impact is limited to environments already running this specific niche tool and requires approved exec requests to trigger.

Severidad

Puntaje: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-183

EPSS

Probabilidad de explotación (próx. 30 días): 0.0002 (0.0%)
Percentil: 5.2%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

Publicada: 28/4/2026, 19:37:41
Última modificación: 30/4/2026, 20:36:10

Referencias

InicioEventosBlogRecursosEquipo