PT-2026-38247 · Openclaw · Openclaw
Foodlook
·
Published
2026-04-25
·
Updated
2026-05-07
·
CVE-2026-44114
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.20
Description
OpenClaw fails to properly reserve the
OPENCLAW runtime-control environment namespace in workspace dotenv files. This allows attackers to override critical runtime variables. For instance, malicious workspaces can set variables such as OPENCLAW GIT DIR to manipulate trusted runtime behavior during installer flows or source-update processes.Recommendations
Update to version 2026.4.20.
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw