Skip to content
CVSS 7.8 · HIGH

CVE-2026-44114

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.

Ver en NVD

Análisis

OpenClaw is susceptible to environment variable injection through malicious workspace dotenv files, which could allow an attacker to manipulate runtime behaviors like git directories. While the vulnerability is high severity, OpenClaw is not a core piece of infrastructure or a widely used tool within the standard web and mobile development ecosystem.

Severidad

Puntaje: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-184

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.

Publicada: 6/5/2026, 20:16:35
Última modificación: 6/5/2026, 21:20:52

Referencias

InicioEventosBlogRecursosEquipo