PT-2026-41218 · Npm · Openclaw

Published

2026-05-04

·

Updated

2026-05-04

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

Workspace dotenv files cannot override connector endpoint hosts.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.21
  • Fixed version: 2026.4.22

Impact

A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint.

Fix

Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate.

Fix Commit(s)

  • 0623079e98abf7202591f1b04a89755eb7ec9272

Verification

  • The fix commit is contained in the public v2026.4.22 tag.
  • openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
  • Focused regression coverage for this path passed before publication.
OpenClaw thanks @qi-scape for reporting.

Fix

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-427CWE-610

Related Identifiers

GHSA-55CF-XX38-4P9P

Affected Products

Openclaw