Environment Variable Override Vulnerability in OpenClaw by OpenClaw
CVE-2026-35650

7.7HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-35650?

OpenClaw before version 2026.3.22 contains a vulnerability that permits an environment variable override bypass, allowing attackers to exploit inconsistent sanitization paths. This flaw provides a means for unauthorized users to input blocked or malformed override keys, effectively slipping through validation barriers. As a result, attackers can execute arbitrary code by manipulating unintended environment variables, potentially compromising the integrity and security of the hosting environment.

Affected Version(s)

OpenClaw 0 < 2026.3.22

OpenClaw 2026.3.22

References

https://github.com/openclaw/openclaw/security/advisories/...

third-party-advisory

https://github.com/openclaw/openclaw/commit/630f1479c44f7...

patch

https://github.com/openclaw/openclaw/commit/7abfff756d6c6...

patch

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 4, 2026

Credit

Peng Zhou (@zpbrent)

CVE-2026-35650 Data

JSON

Openclaw

What is CVE-2026-35650?

Affected Version(s)

References

CVSS V4

Timeline

Credit