<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-41294 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-41294/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-41294/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Environment Variable Injection Vulnerability (CVE-2026-41294)</title><link>https://feed.craftedsignal.io/briefs/2024-01-openclaw-env-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openclaw-env-injection/</guid><description>OpenClaw before 2026.3.28 is vulnerable to environment variable injection by loading a .env file from the current working directory before trusted configuration, potentially allowing attackers to override runtime settings.</description><content:encoded><![CDATA[<p>OpenClaw versions prior to 2026.3.28 are susceptible to environment variable injection due to insecure loading of configuration files. Specifically, the application loads a <code>.env</code> file from the current working directory before applying configurations from trusted state directories. This design flaw allows a malicious actor to inject arbitrary environment variables by placing a crafted <code>.env</code> file within a repository or workspace where OpenClaw is executed. Successful exploitation leads to the overriding of runtime configurations, including potentially security-sensitive environment settings, upon OpenClaw's startup. This vulnerability poses a significant risk to the application's integrity and security posture.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an OpenClaw deployment or development environment.</li>
<li>Attacker crafts a malicious <code>.env</code> file containing environment variables designed to compromise OpenClaw's configuration.</li>
<li>The attacker places the malicious <code>.env</code> file in the current working directory of the OpenClaw application. This could be achieved by compromising a repository where the application code resides or a shared workspace.</li>
<li>OpenClaw application is started or restarted from the compromised working directory.</li>
<li>Upon startup, OpenClaw loads the <code>.env</code> file from the current working directory.</li>
<li>The malicious environment variables within the <code>.env</code> file override existing configurations or inject new settings, such as redirecting log files, modifying API endpoints, or disabling security features.</li>
<li>OpenClaw operates with the attacker-controlled environment variables, potentially leading to data breaches, privilege escalation, or denial-of-service conditions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-41294) allows attackers to manipulate OpenClaw's runtime behavior by injecting arbitrary environment variables. This can lead to a variety of adverse outcomes, including unauthorized access to sensitive data, modification of application settings, and potential compromise of the underlying system. The severity of the impact depends on the specific environment variables targeted and the privileges held by the OpenClaw application.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41294).</li>
<li>Implement file integrity monitoring on OpenClaw's working directory to detect unauthorized creation or modification of <code>.env</code> files (file_event log source).</li>
<li>Deploy the Sigma rule provided below to detect suspicious processes creating or modifying <code>.env</code> files in OpenClaw deployment directories.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>environment-variable-injection</category><category>cve-2026-41294</category><category>openclaw</category></item></channel></rss>