{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/environment-variable-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41384"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["environment-variable-injection","code-execution","cve-2026-41384"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a CLI tool, is vulnerable to environment variable injection (CVE-2026-41384) in versions prior to 2026.3.24. The vulnerability resides in the CLI backend runner and allows attackers to inject malicious environment variables into the backend process. This is achieved by crafting malicious workspace configurations. Successful exploitation can lead to arbitrary code execution within the context of the OpenClaw process or exposure of sensitive information handled by the application. This vulnerability poses a significant risk to systems using affected versions of OpenClaw, potentially allowing attackers to compromise the confidentiality, integrity, and availability of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious OpenClaw workspace configuration file. This file contains specially crafted environment variables designed to inject malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to a system where OpenClaw is installed, either through local access or by compromising an account that has access to modify OpenClaw workspace configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the existing OpenClaw workspace configuration or creates a new one with the malicious environment variables.\u003c/li\u003e\n\u003cli\u003eThe user or system executes a command using the OpenClaw CLI, triggering the backend runner.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw CLI backend runner parses the workspace configuration file, including the attacker-controlled environment variables.\u003c/li\u003e\n\u003cli\u003eThe backend runner spawns a new process, inheriting the injected environment variables.\u003c/li\u003e\n\u003cli\u003eThe injected environment variables cause the spawned process to execute arbitrary code, potentially downloading and executing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, enabling them to perform various malicious activities such as data exfiltration, privilege escalation, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41384) allows attackers to inject arbitrary environment variables, potentially leading to code execution or sensitive data exposure. Given the nature of CLI tools often used in automated scripting and deployment pipelines, this could lead to widespread compromise across multiple systems. The severity is rated as HIGH with a CVSS v3.1 score of 7.8.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-41384.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can modify OpenClaw workspace configurations to prevent unauthorized injection of malicious environment variables.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by OpenClaw, using the \u003ccode\u003eOpenClaw Suspicious Child Processes\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on OpenClaw workspace configuration files to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-env-injection/","summary":"OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.","title":"OpenClaw Environment Variable Injection Vulnerability (CVE-2026-41384)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["npm","openclaw","environment-variable-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package, a tool used within the npm ecosystem, was found to have a vulnerability affecting versions prior to 2026.4.10. This vulnerability stems from an inadequate environment variable denylist in the exec environment policy. Specifically, the policy failed to block high-risk interpreter startup variables such as \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, and \u003ccode\u003eHOSTALIASES\u003c/code\u003e. This oversight allowed malicious actors to potentially inject arbitrary environment variables, thereby influencing the behavior of downstream execution or network operations. The vulnerability was reported by @feiyang666 of Tencent zhuque Lab. The fix was implemented in version 2026.4.10 and later, with version 2026.4.14 containing the fix as well. This vulnerability allows for potential code execution or network manipulation through environment variables.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over an environment where the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e package is utilized.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the \u003ccode\u003eopenclaw\u003c/code\u003e version is prior to 2026.4.10.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious environment variable, such as \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, or \u003ccode\u003eHOSTALIASES\u003c/code\u003e, into the system\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package executes a process that reads and utilizes environment variables without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected environment variable overrides the intended behavior of the process. For example, \u003ccode\u003eVIMINIT\u003c/code\u003e can be used to execute arbitrary vim commands upon startup.\u003c/li\u003e\n\u003cli\u003eThis execution leads to arbitrary code execution or modified network behavior, depending on the injected variable. For example, \u003ccode\u003eHOSTALIASES\u003c/code\u003e can redirect network requests to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining unauthorized access, exfiltrating data, or causing denial of service.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised environment to propagate the attack further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for arbitrary code execution or network redirection by injecting malicious environment variables. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, or denial-of-service conditions. The specific impact depends on the context in which \u003ccode\u003eopenclaw\u003c/code\u003e is used and the permissions of the user running the affected process. The reported vulnerability has been fixed in \u003ccode\u003eopenclaw\u003c/code\u003e version 2026.4.10 and later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e package to version 2026.4.10 or later to remediate the vulnerability, as indicated in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-vfp4-8x56-j7c5\"\u003ehttps://github.com/advisories/GHSA-vfp4-8x56-j7c5\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the presence of environment variables being passed to child processes, focusing on \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, and \u003ccode\u003eHOSTALIASES\u003c/code\u003e. Implement the Sigma rule below to detect suspicious process execution involving these variables.\u003c/li\u003e\n\u003cli\u003eImplement a system-wide policy to restrict the modification of environment variables by non-administrative users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T21:54:20Z","date_published":"2026-04-17T21:54:20Z","id":"/briefs/2024-01-23-openclaw-env-injection/","summary":"The openclaw package versions prior to 2026.4.10 are vulnerable to environment variable injection, where the exec environment policy missed interpreter startup variables allowing operator-supplied environment overrides to influence downstream execution or network behavior, addressed in versions 2026.4.10 and later.","title":"OpenClaw Environment Variable Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-23-openclaw-env-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["rce","environment-variable-injection","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a user-controlled local assistant, is vulnerable to a remote code execution (RCE) issue affecting versions prior to 2026.4.8. The vulnerability, identified as GHSA-cm8v-2vh9-cxf3, stems from missing denylist entries for environment variables that influence build tools. Specifically, HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS were not properly sanitized, allowing a malicious actor to inject arbitrary commands into the build process. This can lead to the execution of untrusted code on the host system. The vulnerability was reported by @boy-hack of Tencent zhuque Lab. The fix is available in version 2026.4.8 and commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious environment variables, such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, or MAKEFLAGS, containing shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a build process within OpenClaw that utilizes the affected environment variables. This could involve providing a specific input or interacting with OpenClaw in a way that initiates a build operation.\u003c/li\u003e\n\u003cli\u003eDue to the missing denylist, OpenClaw does not sanitize the malicious environment variables.\u003c/li\u003e\n\u003cli\u003eThe build tool, influenced by the attacker-controlled environment variables, executes the injected shell commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands execute with the privileges of the OpenClaw process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as installing malware, exfiltrating data, or compromising other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the system running OpenClaw. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. Given OpenClaw\u0026rsquo;s nature as a user-controlled local assistant, the impact is primarily on individual user systems. However, in environments where OpenClaw is deployed more broadly, the vulnerability could be leveraged to compromise multiple machines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch the vulnerability (see \u0026ldquo;Affected Packages / Versions\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by OpenClaw or its build tool subprocesses (see rules below).\u003c/li\u003e\n\u003cli\u003eImplement additional input validation and sanitization measures to prevent environment variable injection in other applications.\u003c/li\u003e\n\u003cli\u003eReview and harden build processes to limit the influence of environment variables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:22:29Z","date_published":"2026-04-09T14:22:29Z","id":"/briefs/2024-01-09-openclaw-rce/","summary":"OpenClaw versions prior to 2026.4.8 are vulnerable to remote code execution (RCE) via build tool environment variable injection due to missing denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS, allowing hostile environment variables to influence host exec commands.","title":"OpenClaw RCE via Build Tool Environment Variable Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-openclaw-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","npm","package-index-redirection","environment-variable-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions 2026.3.28 and earlier, contains a vulnerability that allows for the redirection of Python package-index traffic. This is due to insufficient sanitization of the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e and \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variables during host execution. An attacker can potentially exploit this vulnerability to redirect package installation traffic to a malicious index, potentially leading to the installation of compromised packages. The scope of this vulnerability is limited to approved or allowlisted package-management execution paths, mitigating the risk of arbitrary remote execution. Version 2026.3.31 and later contain the fix. The vulnerability was reported by @nexrin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a system using a vulnerable version (\u0026lt;=2026.3.28) of the \u003ccode\u003eopenclaw\u003c/code\u003e npm package.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the system or its environment configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker sets either the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variable to point to a malicious Python package index server.\u003c/li\u003e\n\u003cli\u003eThe system executes a package installation command (e.g., \u003ccode\u003epip install \u0026lt;package\u0026gt;\u003c/code\u003e) through \u003ccode\u003eopenclaw\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eopenclaw\u003c/code\u003e, without proper sanitization, uses the attacker-controlled environment variable when resolving package dependencies.\u003c/li\u003e\n\u003cli\u003eThe package manager connects to the malicious index server specified in the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003eThe attacker serves malicious or backdoored Python packages through the rogue index.\u003c/li\u003e\n\u003cli\u003eThe system installs the malicious packages, potentially compromising the system with arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the installation of malicious Python packages on systems utilizing the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e version. This could result in arbitrary code execution, data theft, or other malicious activities, depending on the contents of the malicious packages. The scope is somewhat limited since only allowlisted execution paths are affected, which reduces the blast radius.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process executions involving \u003ccode\u003eopenclaw\u003c/code\u003e and the use of \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variables. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Using Suspicious Index URL\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict allowlisting of package management execution paths to further limit the potential impact.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture command line arguments and environment variables for the \u003ccode\u003eopenclaw\u003c/code\u003e process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:57:44Z","date_published":"2026-04-02T20:57:44Z","id":"/briefs/2026-04-openclaw-index-redirect/","summary":"The openclaw npm package is vulnerable to Python package-index redirection through host execution due to improper sanitization of `PIP_INDEX_URL` and `UV_INDEX_URL`, affecting versions 2026.3.28 and earlier.","title":"OpenClaw NPM Package Vulnerable to Python Package Index Redirection","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-index-redirect/"}],"language":"en","title":"CraftedSignal Threat Feed — Environment-Variable-Injection","version":"https://jsonfeed.org/version/1.1"}