Cve-2026-43531 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-43531/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 05 May 2026 12:16:19 +0000OpenClaw Environment Variable Injection Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-openclaw-env-injection/Tue, 05 May 2026 12:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-openclaw-env-injection/OpenClaw before version 2026.4.9 is vulnerable to environment variable injection, allowing attackers to use malicious workspace .env files to set runtime-control variables and compromise application behavior affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths.OpenClaw before version 2026.4.9 is susceptible to an environment variable injection vulnerability. This flaw enables attackers to manipulate runtime-control variables by crafting malicious workspace .env files. Successful exploitation can lead to the redirection of update sources to attacker-controlled servers, modification of gateway URLs to intercept traffic, alteration of ClawHub resolution to point to malicious resources, and substitution of browser executable paths to execute arbitrary code. This vulnerability allows an attacker to potentially gain control of the application’s behavior and compromise the underlying system.

Attack Chain

  1. The attacker crafts a malicious .env file containing environment variable definitions designed to override default application settings.
  2. The attacker places the malicious .env file into a workspace directory accessible by the OpenClaw application.
  3. OpenClaw application parses the .env file during startup or when a workspace is loaded.
  4. The application reads the attacker-controlled environment variables, which are intended to modify update sources, gateway URLs, ClawHub resolution endpoints, and browser executable paths.
  5. The attacker redirects the update source to a malicious server hosting a compromised update package.
  6. The application downloads and installs the malicious update, leading to code execution.
  7. Alternatively, the attacker manipulates the browser executable path to execute arbitrary code using a different application.

Impact

Successful exploitation of this vulnerability allows attackers to inject arbitrary environment variables, leading to code execution and potential system compromise. Attackers could redirect update sources, manipulate gateway URLs, or alter browser executable paths to execute malicious code. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.

Recommendation

  • Upgrade OpenClaw to version 2026.4.9 or later to patch the environment variable injection vulnerability (CVE-2026-43531).
  • Implement strict file integrity monitoring on workspace directories to detect unauthorized modification of .env files using a file_event Sigma rule.
  • Monitor process execution for OpenClaw using unexpected browser executable paths by deploying the process_creation Sigma rule below.
]]>highadvisoryenvironment variable injectionapplication compromisecve-2026-43531