Remote Code Execution Vulnerability in OpenClaw by OpenClaw Team
CVE-2026-42427

5.8MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-42427?

The vulnerability in OpenClaw originates from insufficient entries in the environment variable denylist, particularly for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. This oversight allows attackers to inject malicious environment variables during the build process, influencing host execution commands and potentially leading to arbitrary code execution on affected systems. Users are strongly advised to upgrade to version 2026.4.8 or later to mitigate these risks. For further details, see the GitHub Security Advisory and the VulnCheck Advisory.

Affected Version(s)

OpenClaw 0 < 2026.4.8

OpenClaw 2026.4.8

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/d7c3210cd6f5f...

patch

https://www.vulncheck.com/advisories/openclaw-remote-code...

third-party-advisory

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

boyhack (@boy-hack)

CVE-2026-42427 Data

JSON

Openclaw

What is CVE-2026-42427?

Affected Version(s)

References

CVSS V4

Timeline

Credit