Environment Variable Bypass in OpenClaw by OpenClaw
CVE-2026-41391

5.8MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-41391?

The vulnerability in OpenClaw allows for inadequate sanitization of PIP_INDEX_URL and UV_INDEX_URL environment variables, creating an opportunity for attackers to redirect Python package-index traffic. By exploiting this flaw, attackers might intercept or manipulate package management operations through the injection of malicious index URLs, thereby compromising the security of package handling within the affected environments.

Affected Version(s)

OpenClaw 0 < 2026.3.31

OpenClaw 2026.3.31

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/7ae1bb0c7799f...

patch

https://www.vulncheck.com/advisories/openclaw-environment...

third-party-advisory

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Nathan (@nexrin)

KeenSecurityLab

qclawer

CVE-2026-41391 Data

JSON