PT-2026-35772 · Openclaw · Openclaw
Tdjackey
·
Published
2026-03-31
·
Updated
2026-04-28
·
CVE-2026-41387
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.22
Description
Incomplete host environment variable sanitization in
host-env-security-policy.json and host-env-security.ts allows package-manager environment overrides. This enables attackers to use approved exec requests to redirect package resolution or runtime bootstrap to infrastructure under their control, leading to the execution of trojanized content.Recommendations
Update to version 2026.3.22.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw