CVE-2026-45003
Received Received - Intake
OpenClaw Workspace Dotenv Endpoint Host Override Vulnerability

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulnCheck

Description
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-45003
EUVD
EUVD-2026-29148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45003 is a vulnerability in OpenClaw versions before 2026.4.22 where workspace dotenv files can override connector endpoint hosts for services like Matrix, Mattermost, IRC, and Synology connectors.

Attackers who have access to the workspace can modify these dotenv files to redirect runtime traffic to malicious endpoints by setting specific endpoint variables.

This means that instead of connecting to legitimate service endpoints, the application could be tricked into communicating with attacker-controlled servers.

Impact Analysis

This vulnerability allows an attacker with workspace access to redirect traffic intended for trusted connectors to malicious endpoints.

Such redirection can lead to interception or manipulation of data, potentially compromising confidentiality and integrity of communications.

It could also enable attackers to perform man-in-the-middle attacks or inject malicious payloads through these connectors.

Detection Guidance

This vulnerability involves workspace dotenv files overriding connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. To detect it, you should inspect the workspace .env files for the presence of specific environment variables that could redirect traffic.

  • Check workspace .env files for the following variables: MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, SYNOLOGY_CHAT_INCOMING_URL, SYNOLOGY_NAS_HOST.
  • Use commands like grep to search for these variables in your workspace directories, for example: grep -rE 'MATRIX_HOMESERVER|MATTERMOST_URL|IRC_HOST|SYNOLOGY_CHAT_INCOMING_URL|SYNOLOGY_NAS_HOST' /path/to/workspace
  • Monitor runtime traffic for unexpected redirections or connections to unknown endpoints that differ from operator-configured hosts.
Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.4.22 or later, where the vulnerability has been fixed by blocking workspace dotenv overrides for critical connector endpoint variables.

  • Update OpenClaw to version 2026.4.22 or newer.
  • Review and remove any unauthorized or suspicious environment variable overrides in workspace .env files, especially those related to connector endpoints.
  • Ensure that workspace .env files do not contain variables like MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, SYNOLOGY_CHAT_INCOMING_URL, or SYNOLOGY_NAS_HOST.
  • Implement monitoring to detect unexpected endpoint redirections or traffic to malicious hosts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart