CVE-2026-41369
Environment Variable Injection in OpenClaw Host Exec Risks System Integrity
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41369 is a vulnerability in OpenClaw versions before 2026.3.31 caused by insufficient sanitization of environment variables during host execution operations.
Specifically, OpenClaw fails to properly filter environment variables related to package management, registry settings, Docker configurations, compiler options, and TLS overrides.
Attackers can exploit this by injecting malicious environment variables that override critical system configurations, potentially compromising the integrity of host execution.
The root cause is an incomplete blacklist of disallowed environment variables, allowing unsafe variables to persist during execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how CVE-2026-41369 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can allow attackers with limited privileges to inject malicious environment variables that override critical system and development environment settings.
- Redirect Docker commands to malicious endpoints.
- Use untrusted certificate authorities or SSL certificates.
- Alter compiler include paths to inject malicious code.
- Manipulate package resolution to install compromised dependencies.
- Hijack Python virtual environments or user bases.
Overall, this can compromise the integrity of host execution, potentially leading to unauthorized control or manipulation of system processes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for the presence of unsafe or disallowed environment variables related to package management, registry, Docker, compiler, and TLS overrides in the host execution environment.
You can inspect the environment variables in your system or running processes to identify if any of the risky variables are set with suspicious values.
- Use commands like `env` or `printenv` to list environment variables.
- Filter for known risky variables such as DOCKER_HOST, PIP_CONFIG_FILE, SSL_CERT_FILE, LIBRARY_PATH, and others listed in the fix.
- Example command to check for risky variables: `env | grep -E 'DOCKER_HOST|PIP_CONFIG_FILE|SSL_CERT_FILE|LIBRARY_PATH|CPATH|C_INCLUDE_PATH|NODE_EXTRA_CA_CERTS'`
Additionally, review logs or diagnostics from the sanitization function if available, which can report rejected or blocked environment variables.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.31 or later, where the vulnerability has been fixed by expanding the sanitization of environment variables.
This update blocks overrides of critical environment variables related to package management, Docker, compiler paths, and TLS certificates, preventing malicious environment injection.
Until the upgrade can be applied, you should audit and restrict environment variables in host execution contexts to ensure no unsafe or untrusted variables are set.
Implement monitoring or logging of environment variables used during host executions to detect any suspicious overrides.