CVE-2026-41294

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28

Description An environment variable injection issue occurs because the software loads the .env file from the current working directory before the trusted state-dir configuration. This allows untrusted workspace state to inject host environment values. An attacker can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during startup, potentially leading to configuration takeover and bypassing host-env policy. The issue is located in the src/infra/dotenv.ts and src/cli/dotenv.ts components.

Recommendations Update to version 2026.3.28.