CVE-2026-42427

CVSS v3.1

5.3

Medium

AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO BUILD RUSTC WRAPPER, RUSTC WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.

Fix

RCE

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184

Related Identifiers

CVE-2026-42427

Affected Products

Openclaw

CVE-2026-42427

Weakness Enumeration

Related Identifiers

Affected Products

References · 5