PT-2026-35758 · Openclaw · Openclaw
Tdjackey
·
Published
2026-04-03
·
Updated
2026-05-01
·
CVE-2026-41373
CVSS v3.1
6.1
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.31
Description
An incomplete
host-env-security-policy.json fails to restrict compiler binary environment variables. This allows untrusted models to substitute CC, CXX, CARGO BUILD RUSTC, and CMAKE C COMPILER through environment overrides. Attackers with approved host-exec requests can override these compiler binaries to execute arbitrary code during build processes.Recommendations
Update to version 2026.3.31.
Fix
Uncontrolled Search Path Element
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw