OpenClaw Environment Variable Injection Vulnerability in CLI Backend
Vulnerability
A vulnerability allowing environment variable injection has been identified in OpenClaw versions prior to 2026.3.24. This issue resides in the Command Line Interface (CLI) backend runner, where attackers can inject malicious environment variables through crafted workspace configurations. The injected variables may be executed in the backend process, potentially leading to arbitrary code execution or exposure of sensitive data.
Impact
Exploitation of this vulnerability allows for the injection of arbitrary environment variables into the backend process, which could be used to execute malicious code or expose sensitive information.
Reproduction
The vulnerability can be reproduced by creating a workspace configuration that includes malicious environment variables. These variables can be crafted to inject harmful payloads into the CLI backend runner when the workspace is loaded.
Remediation
Users can update to OpenClaw version 2026.3.24 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.