PT-2026-32066 · Npm · Openclaw
Published
2026-04-01
·
Updated
2026-04-01
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Summary
OpenClaw loaded the current working directory
.env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.Impact
A repository or workspace containing a malicious
.env file could override runtime configuration and security-sensitive environment settings when OpenClaw started there.Affected Component
src/infra/dotenv.ts, src/cli/dotenv.tsFixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit
6a79324802 (Filter untrusted CWD .env entries before OpenClaw startup).Fix
Untrusted Search Path
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw