Skip to content
CVSS 7.3 · HIGH

CVE-2026-43531

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

Ver en NVD

Análisis

OpenClaw is a niche workspace management tool with limited adoption in the general web and mobile development stack. While the vulnerability allows for environment variable injection and potentially critical behavior changes via malicious workspace files, the software's narrow user base does not warrant a priority alert for the broader community.

Severidad

Puntaje: 7.3(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: LOW
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-15

EPSS

Probabilidad de explotación (próx. 30 días): 0.0001 (0.0%)
Percentil: 1.7%
EPSS: 2026-05-06

Descripción técnica

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

Publicada: 5/5/2026, 12:16:19
Última modificación: 5/5/2026, 19:32:49

Referencias

InicioEventosBlogRecursosEquipo