CVE-2026-43531
Environment Variable Injection in OpenClaw
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-15 | One or more system settings or configuration elements can be externally controlled by a user. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-43531 is an environment variable injection vulnerability in OpenClaw versions before 2026.4.9. Malicious workspace .env files can inject runtime-control variables that affect critical application settings such as update sources, gateway URLs, ClawHub resolution, and browser executable paths.
This injection allows attackers to manipulate the application's runtime behavior by setting variables that should normally be controlled internally, potentially compromising the application's integrity and operation.
How can this vulnerability impact me? :
This vulnerability can lead to an attacker compromising the behavior of the OpenClaw application by injecting malicious environment variables through workspace .env files.
- Attackers can redirect update sources, potentially causing the application to download malicious updates.
- They can alter gateway URLs and ClawHub resolution, affecting network routing and service endpoints.
- They can manipulate browser executable paths, which may lead to execution of unintended or malicious binaries.
Overall, this can result in a high-severity compromise of application behavior, integrity, and security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious workspace .env files injecting runtime-control variables in OpenClaw before version 2026.4.9. Detection involves inspecting workspace .env files for suspicious or unauthorized environment variables that affect update sources, gateway URLs, ClawHub resolution, or browser executable paths.
You can manually check for the presence of .env files in your OpenClaw workspace directories and review their contents for any suspicious keys related to OpenClaw runtime control.
- Use commands like `find . -name ".env"` to locate .env files in your project directories.
- Use `grep` to search for suspicious environment variables, for example: `grep -E "OPENCLAW_GATEWAY_PORT|CLAWHUB_TOKEN|OPENCLAW_BROWSER_PATH" .env`.
Since the vulnerability is related to environment variable injection, monitoring runtime environment variables for unexpected values related to OpenClaw control keys can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.9 or later, as these versions include a fix that blocks runtime-control keys from being loaded via workspace .env files.
The fix involves a blocklist of over 40 sensitive environment variable keys that prevent injection through .env files, protecting critical runtime behavior.
Additionally, review and clean any existing workspace .env files to remove or secure any environment variables that could affect OpenClaw's runtime control.
Avoid running OpenClaw with untrusted or unverified workspace repositories that may contain malicious .env files.