Primary

Context

OpenClaw Environment Variable Disclosure Vulnerability via jq $ENV Filter Bypass

Vulnerability

A vulnerability allowing environment variable disclosure exists in OpenClaw versions prior to 2026.3.28. The issue arises in the jq safe-bin policy, which improperly allows access to environment data through the $ENV filter. This oversight enables attackers to bypass safe-bin restrictions and access sensitive environment variables that should be protected.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive environment variables, bypassing the intended restrictions of the jq safe-bin policy.

Remediation

Users can upgrade to OpenClaw version 2026.3.28 or later to address this vulnerability.

Added: Apr 28, 2026, 12:23 AM

Updated: Apr 28, 2026, 12:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Environment Variable Disclosure Vulnerability via jq $ENV Filter Bypass

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating