Environment Variable Namespace Collision in OpenClaw by OpenClaw
CVE-2026-44114

8.5HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-44114?

The OpenClaw vulnerability allows an attacker to manipulate runtime behavior by exploiting the failure to properly reserve the runtime-control environment namespace in workspace dotenv files. Malicious actors can set critical variables like OPENCLAW_GIT_DIR in untrusted workspaces, potentially leading to unauthorized configurations and harmful changes during source-update or installation processes.

Affected Version(s)

OpenClaw 0 < 2026.4.20

OpenClaw 2026.4.20

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/018494fa3ebb9...

patch

https://www.vulncheck.com/advisories/openclaw-environment...

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 5, 2026

Credit

foodlook

CVE-2026-44114 Data

JSON

Openclaw

What is CVE-2026-44114?

Affected Version(s)

References

CVSS V4

Timeline

Credit