Cve-2026-41384 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-41384/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 12:00:00 +0000OpenClaw Environment Variable Injection Vulnerability (CVE-2026-41384)https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.OpenClaw, a CLI tool, is vulnerable to environment variable injection (CVE-2026-41384) in versions prior to 2026.3.24. The vulnerability resides in the CLI backend runner and allows attackers to inject malicious environment variables into the backend process. This is achieved by crafting malicious workspace configurations. Successful exploitation can lead to arbitrary code execution within the context of the OpenClaw process or exposure of sensitive information handled by the application. This vulnerability poses a significant risk to systems using affected versions of OpenClaw, potentially allowing attackers to compromise the confidentiality, integrity, and availability of the system.

Attack Chain

  1. Attacker crafts a malicious OpenClaw workspace configuration file. This file contains specially crafted environment variables designed to inject malicious code.
  2. The attacker gains access to a system where OpenClaw is installed, either through local access or by compromising an account that has access to modify OpenClaw workspace configurations.
  3. The attacker modifies the existing OpenClaw workspace configuration or creates a new one with the malicious environment variables.
  4. The user or system executes a command using the OpenClaw CLI, triggering the backend runner.
  5. The OpenClaw CLI backend runner parses the workspace configuration file, including the attacker-controlled environment variables.
  6. The backend runner spawns a new process, inheriting the injected environment variables.
  7. The injected environment variables cause the spawned process to execute arbitrary code, potentially downloading and executing malware or modifying system settings.
  8. The attacker achieves code execution, enabling them to perform various malicious activities such as data exfiltration, privilege escalation, or denial of service.

Impact

Successful exploitation of this vulnerability (CVE-2026-41384) allows attackers to inject arbitrary environment variables, potentially leading to code execution or sensitive data exposure. Given the nature of CLI tools often used in automated scripting and deployment pipelines, this could lead to widespread compromise across multiple systems. The severity is rated as HIGH with a CVSS v3.1 score of 7.8.

Recommendation

  • Upgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-41384.
  • Implement strict access control policies to limit who can modify OpenClaw workspace configurations to prevent unauthorized injection of malicious environment variables.
  • Monitor process creation events for unusual processes spawned by OpenClaw, using the OpenClaw Suspicious Child Processes Sigma rule.
  • Implement file integrity monitoring on OpenClaw workspace configuration files to detect unauthorized modifications.
]]>highadvisoryenvironment-variable-injectioncode-executioncve-2026-41384