CVE-2026-41294

CVSS v3.1

9.6

Critical

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.

Impact

A repository or workspace containing a malicious .env file could override runtime configuration and security-sensitive environment settings when OpenClaw started there.

Affected Component

src/infra/dotenv.ts, src/cli/dotenv.ts

Fixed Versions

Affected: <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 6a79324802 (Filter untrusted CWD .env entries before OpenClaw startup).

Fix

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-426CWE-15

Related Identifiers

CVE-2026-41294

GHSA-8RH7-6779-CJQQ

Affected Products

Openclaw

CVE-2026-41294

Summary

Impact

Affected Component

Fixed Versions

Fix

Weakness Enumeration

Related Identifiers

Affected Products

References · 7