Executive Summary

CVE-2026-41373 is a vulnerability in OpenClaw versions before 2026.3.31 caused by an incomplete host-env-security-policy.json file. This incomplete policy fails to restrict certain environment variables related to compiler binaries, specifically CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER. Because of this, attackers who already have approved host execution permissions can override these environment variables to substitute the compiler binaries with malicious ones. This allows them to execute arbitrary code during build processes.

The vulnerability is classified under CWE-427 (Uncontrolled Search Path Element), meaning that the system uses a search path to locate resources but some parts of that path can be manipulated by unauthorized actors. The issue was fixed in OpenClaw version 2026.3.31 by blocking these dangerous environment variables and sanitizing the host execution environment to prevent such overrides.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with approved host execution permissions to substitute compiler binaries during build processes. By overriding environment variables like CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER, the attacker can execute arbitrary or malicious code within the build environment.

Such arbitrary code execution can lead to compromise of the build process, potentially injecting malicious code into software builds, affecting software integrity and trustworthiness. This poses a moderate security risk, especially in environments where build processes are critical and trusted.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves environment variables such as CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER being overridden to substitute compiler binaries during build processes. Detection involves checking if these environment variables are set to unexpected or untrusted paths during host execution requests.

One way to detect potential exploitation is to inspect the environment variables in build or host-exec processes to see if any of these compiler override variables are set. For example, you can run commands to print these variables in the environment where builds occur.

• Check environment variables in the shell or build environment: `echo $CC`, `echo $CXX`, `echo $CARGO_BUILD_RUSTC`, `echo $CMAKE_C_COMPILER`
• Use process inspection tools to check environment variables of running build processes, e.g., `ps eww <pid>` or `cat /proc/<pid>/environ | tr '\0' '\n' | grep -E 'CC|CXX|CARGO_BUILD_RUSTC|CMAKE_C_COMPILER'` on Linux.
• Monitor build logs or scripts for unexpected compiler paths or commands that differ from standard system compilers.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.3.31 or later, where the vulnerability is fixed by blocking dangerous compiler environment variables.

If upgrading immediately is not possible, you should ensure that environment variables such as CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER, and CMAKE_CXX_COMPILER are not set or overridden in any host execution or build environment.

Additionally, restrict or audit host-exec requests to prevent untrusted models or users from executing builds with overridden environment variables.

• Upgrade OpenClaw to version 2026.3.31 or later.
• Sanitize or unset compiler override environment variables (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER, CMAKE_CXX_COMPILER) before build execution.
• Audit and restrict host execution permissions to trusted users and processes only.

Useful 0 Not Useful 0