PT-2026-35556 · Openclaw · Openclaw
Nicky
·
Published
2026-04-27
·
Updated
2026-04-28
·
CVE-2026-41368
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.28
Description
An environment variable disclosure exists in the jq safe-bin policy. The policy fails to block the
$ENV filter, allowing attackers to bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.Recommendations
Update to version 2026.3.28.
Fix
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw