{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41384/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41384"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["environment-variable-injection","code-execution","cve-2026-41384"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a CLI tool, is vulnerable to environment variable injection (CVE-2026-41384) in versions prior to 2026.3.24. The vulnerability resides in the CLI backend runner and allows attackers to inject malicious environment variables into the backend process. This is achieved by crafting malicious workspace configurations. Successful exploitation can lead to arbitrary code execution within the context of the OpenClaw process or exposure of sensitive information handled by the application. This vulnerability poses a significant risk to systems using affected versions of OpenClaw, potentially allowing attackers to compromise the confidentiality, integrity, and availability of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious OpenClaw workspace configuration file. This file contains specially crafted environment variables designed to inject malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to a system where OpenClaw is installed, either through local access or by compromising an account that has access to modify OpenClaw workspace configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the existing OpenClaw workspace configuration or creates a new one with the malicious environment variables.\u003c/li\u003e\n\u003cli\u003eThe user or system executes a command using the OpenClaw CLI, triggering the backend runner.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw CLI backend runner parses the workspace configuration file, including the attacker-controlled environment variables.\u003c/li\u003e\n\u003cli\u003eThe backend runner spawns a new process, inheriting the injected environment variables.\u003c/li\u003e\n\u003cli\u003eThe injected environment variables cause the spawned process to execute arbitrary code, potentially downloading and executing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, enabling them to perform various malicious activities such as data exfiltration, privilege escalation, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41384) allows attackers to inject arbitrary environment variables, potentially leading to code execution or sensitive data exposure. Given the nature of CLI tools often used in automated scripting and deployment pipelines, this could lead to widespread compromise across multiple systems. The severity is rated as HIGH with a CVSS v3.1 score of 7.8.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-41384.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can modify OpenClaw workspace configurations to prevent unauthorized injection of malicious environment variables.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by OpenClaw, using the \u003ccode\u003eOpenClaw Suspicious Child Processes\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on OpenClaw workspace configuration files to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-env-injection/","summary":"OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.","title":"OpenClaw Environment Variable Injection Vulnerability (CVE-2026-41384)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41384","version":"https://jsonfeed.org/version/1.1"}