CVE-2026-41396

CVSS v3.1

7.8

High

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW BUNDLED PLUGINS DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829

Related Identifiers

CVE-2026-41396

Affected Products

Openclaw

CVE-2026-41396

Weakness Enumeration

Related Identifiers

Affected Products

References · 5