CVE-2026-43584
Analyzed Analyzed - Analysis Complete
Insufficient Environment Variable Denylist in OpenClaw

Publication date: 2026-05-06

Last updated on: 2026-05-07

Assigner: VulnCheck

Description
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-07
Generated
2026-06-10
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-09
NVD
CVE-2026-43584
EUVD
EUVD-2026-28180
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the ability to override high-risk interpreter startup environment variables such as VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Detection would involve checking if these environment variables are set or overridden in the execution environment of OpenClaw processes.

You can inspect the environment variables of running OpenClaw processes to see if any of these high-risk variables are set. For example, on a Unix-like system, you might use commands like:

  • ps aux | grep openclaw
  • cat /proc/<pid>/environ | tr '\0' '\n' | grep -E 'VIMINIT|EXINIT|LUA_INIT|HOSTALIASES'

Alternatively, if you have access to the shell environment where OpenClaw runs, you can check these variables directly by running:

  • echo $VIMINIT
  • echo $EXINIT
  • echo $LUA_INIT
  • echo $HOSTALIASES

Monitoring for unexpected or suspicious values in these variables can help detect exploitation attempts.

Executive Summary

This vulnerability exists in OpenClaw versions before 2026.4.10 and involves an insufficient environment variable denylist in its execution environment policy.

Specifically, it allows operator-supplied overrides of high-risk interpreter startup variables such as VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES.

Attackers can exploit this by manipulating these environment variables to influence how downstream processes execute or affect network connectivity.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized control over the execution behavior of downstream processes.

This can result in potential compromise of system integrity, unauthorized actions, or altered network connectivity.

Given the high CVSS scores (8.7 and 8.8), the impact is considered severe, potentially allowing attackers to cause significant harm without user interaction.

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.4.10 or later, as these versions include a fix that expands the environment variable denylist to block high-risk interpreter startup variables.

This fix prevents operator-supplied overrides of environment variables like VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES, closing the sanitization gap.

If upgrading immediately is not possible, consider implementing environment variable sanitization or restrictions in your deployment environment to prevent these variables from being set or overridden.

Review your exec environment policies and ensure that environment variables are properly controlled and sanitized.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart