OpenClaw Environment Variable Injection Vulnerability in Host Execution
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.3.31 due to inadequate sanitization of environment variables in host execution processes. This flaw allows attackers to inject malicious environment variables that can override essential system settings, particularly those related to packages, registries, Docker, compilers, and TLS. Such overrides could disrupt the integrity of host execution.
Impact
Exploitation of this vulnerability could lead to unauthorized modifications of critical system configurations, potentially allowing for malicious actions to be executed in the host environment.
Reproduction
The vulnerability can be reproduced by injecting harmful environment variables through the package, registry, Docker, compiler, or TLS override variable channels. This can be done during host execution operations, where the lack of proper sanitization allows these variables to be exploited.
Remediation
Users can upgrade to OpenClaw version 2026.3.31 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.