PT-2026-37325 · Npm · Openclaw
Publicado
2026-04-25
·
Atualizado
2026-04-25
CVSS v3.1
7.8
Alta
| Vetor | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
Workspace
.env loading did not reserve the OPENCLAW runtime-control namespace broadly enough. A malicious workspace could set variables such as OPENCLAW GIT DIR before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior.This requires running OpenClaw from an attacker-controlled workspace. Severity is medium.
Fix
OpenClaw now reserves the workspace
OPENCLAW environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables.Fix commit:
018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6
Release
Fixed in OpenClaw
2026.4.20.Correção
Incomplete List of Disallowed Inputs
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw