CVE-2026-43584
Insufficient Environment Variable Denylist in OpenClaw
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.4.10 and involves an insufficient environment variable denylist in its execution environment policy.
Specifically, it allows operator-supplied overrides of high-risk interpreter startup variables such as VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES.
Attackers can exploit this by manipulating these environment variables to influence how downstream processes execute or affect network connectivity.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized control over the execution behavior of downstream processes.
This can result in potential compromise of system integrity, unauthorized actions, or altered network connectivity.
Given the high CVSS scores (8.7 and 8.8), the impact is considered severe, potentially allowing attackers to cause significant harm without user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ability to override high-risk interpreter startup environment variables such as VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Detection would involve checking if these environment variables are set or overridden in the execution environment of OpenClaw processes.
You can inspect the environment variables of running OpenClaw processes to see if any of these high-risk variables are set. For example, on a Unix-like system, you might use commands like:
- ps aux | grep openclaw
- cat /proc/<pid>/environ | tr '\0' '\n' | grep -E 'VIMINIT|EXINIT|LUA_INIT|HOSTALIASES'
Alternatively, if you have access to the shell environment where OpenClaw runs, you can check these variables directly by running:
- echo $VIMINIT
- echo $EXINIT
- echo $LUA_INIT
- echo $HOSTALIASES
Monitoring for unexpected or suspicious values in these variables can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.10 or later, as these versions include a fix that expands the environment variable denylist to block high-risk interpreter startup variables.
This fix prevents operator-supplied overrides of environment variables like VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES, closing the sanitization gap.
If upgrading immediately is not possible, consider implementing environment variable sanitization or restrictions in your deployment environment to prevent these variables from being set or overridden.
Review your exec environment policies and ensure that environment variables are properly controlled and sanitized.