OpenClaw Environment Variable Injection Vulnerability

A vulnerability allowing environment variable injection has been identified in OpenClaw versions prior to 2026.4.9. This issue arises from the application's ability to load workspace .env files, which can be manipulated to include runtime-control variables. Such variables could disrupt application behavior by altering update sources, gateway URLs, ClawHub resolutions, and browser executable paths.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in how OpenClaw operates, potentially allowing malicious actors to manipulate key application functions and integrations.

Reproduction

The vulnerability can be reproduced by creating a workspace .env file that includes specific OpenClaw runtime-control variables. Once this file is loaded by the application, the injected variables will take effect, altering the application's behavior according to the values provided.

Remediation

Users are advised to upgrade to OpenClaw version 2026.4.9 or later. The latest version available on npm, 2026.4.14, includes the necessary fix.