CVE-2026-41915
Environment Variable Injection in OpenClaw Git Operations Risks Repository Integrity
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41915 is a vulnerability in OpenClaw versions before 2026.4.8 where Git plumbing environment variables, such as GIT_DIR, are not removed from the execution environment before running host exec operations.
This allows attackers with limited privileges to set these environment variables and redirect Git operations, potentially compromising the integrity of Git repositories.
The root cause is an incomplete denylist of environment variables, leading to improper neutralization of special elements used in OS commands (CWE-78) and an incomplete list of disallowed inputs (CWE-184).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges to manipulate Git operations by injecting or redirecting Git commands through environment variables.
As a result, the integrity of your Git repositories can be compromised, potentially leading to unauthorized changes, code tampering, or disruption of development workflows.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the OpenClaw version in use is prior to 2026.4.8, as those versions fail to remove Git plumbing environment variables such as GIT_DIR before executing host commands.
You can inspect the environment variables in the execution context of OpenClaw processes to see if Git-related variables like GIT_DIR are set. For example, running commands to list environment variables for the OpenClaw process or checking the environment before execution may help identify the presence of these variables.
- Use commands like `ps aux | grep openclaw` to find running OpenClaw processes.
- Use `cat /proc/<pid>/environ | tr '\0' '\n' | grep GIT_DIR` replacing `<pid>` with the OpenClaw process ID to check if GIT_DIR or related variables are set.
- Check for environment variables in shell sessions or scripts that launch OpenClaw using `env | grep GIT_DIR` or similar.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.8 or later, where the vulnerability has been patched by properly removing Git plumbing environment variables from the execution environment before host exec operations.
Until the upgrade can be applied, ensure that environment variables such as GIT_DIR and other Git plumbing variables are not set or passed in the execution environment of OpenClaw processes.
Limit the privileges of users who can execute OpenClaw to reduce the risk of exploitation, as the vulnerability requires limited privileges but not elevated ones.
Review and sanitize any scripts or automation that invoke OpenClaw to ensure they do not propagate unsafe environment variables.