Environment Variable Sanitization Vulnerability in OpenClaw by OpenClaw
CVE-2026-41332

5.8MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41332?

OpenClaw versions prior to 2026.3.28 are vulnerable to an environment variable sanitization flaw. This issue arises because essential environment variables such as GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not included in the host-env blocklist. Malicious actors can exploit this flaw through approved executable requests, enabling them to alter the behavior of git or the AWS CLI. This leads to the potential execution of untrusted code or loading of harmful credentials from attacker-controlled configuration files.

Affected Version(s)

OpenClaw 0 < 2026.3.28

OpenClaw 2026.3.28

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/openclaw-code-execut...

third-party-advisory

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Nicky (@nicky-cc)

CVE-2026-41332 Data

JSON

Openclaw

What is CVE-2026-41332?

Affected Version(s)

References

CVSS V4

Timeline

Credit