OpenClaw Arbitrary Code Execution via Environment Variable Override (CVE-2026-41336)

hello@craftedsignal.io — Fri, 24 Apr 2026 12:00:00 +0000

OpenClaw versions prior to 2026.3.31 are susceptible to an arbitrary code execution vulnerability, tracked as CVE-2026-41336. This flaw stems from the application’s insecure handling of environment variables. Specifically, the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, which dictates the directory from which OpenClaw loads bundled hooks, can be overridden by a workspace-specific .env file. This allows a malicious actor to craft a .env file within an untrusted workspace that points to a directory containing attacker-controlled hook code. Upon loading the workspace, OpenClaw will execute the malicious code, effectively granting the attacker arbitrary code execution within the application’s context. This vulnerability poses a significant risk to systems utilizing OpenClaw, as it can lead to complete system compromise.

Attack Chain

The attacker creates a malicious hook code file (e.g., evil_hook.py) containing arbitrary code to be executed.
The attacker creates a directory (e.g., /tmp/evil_hooks) and places the malicious hook code file within it.
The attacker crafts a .env file containing the line OPENCLAW_BUNDLED_HOOKS_DIR=/tmp/evil_hooks.
The attacker places the malicious .env file into a workspace that a victim user is likely to open within OpenClaw.
The victim user opens the workspace within OpenClaw.
OpenClaw reads the .env file and overrides the default OPENCLAW_BUNDLED_HOOKS_DIR with the attacker-controlled path /tmp/evil_hooks.
OpenClaw loads and executes the malicious hook code from evil_hook.py, granting the attacker arbitrary code execution.
The attacker gains control of the OpenClaw process and potentially the underlying system.

Impact

Successful exploitation of CVE-2026-41336 allows an attacker to execute arbitrary code within the context of the OpenClaw application. This could lead to the complete compromise of the affected system, including data theft, modification, or destruction. Given the nature of the vulnerability, any system running a vulnerable version of OpenClaw is at risk if it processes untrusted workspaces. The CVSS v3.1 base score of 7.8 reflects the high potential impact of this vulnerability.

Recommendation

Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41336.
Implement strict workspace validation to prevent the loading of malicious .env files.
Monitor process creations originating from the OpenClaw process for suspicious activity using the OpenClaw Suspicious Process Creation Sigma rule.
Deploy the OpenClaw Environment Variable Override Sigma rule to detect attempts to override the OPENCLAW_BUNDLED_HOOKS_DIR variable.

OpenClaw Plugin Trust Verification Bypass via Environment Variable Override

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

OpenClaw, a yet-to-be-defined application, is susceptible to a plugin trust verification bypass. Prior to version 2026.3.31, the application permits workspace-specific .env files to redefine the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable. This vulnerability enables an attacker who has control over the workspace configuration to inject malicious plugins. By manipulating the directory from which OpenClaw loads bundled plugins, an attacker can circumvent the intended trust mechanisms, leading to the execution of untrusted code within the application’s context. This could lead to code execution, data exfiltration, or other malicious activities, depending on the injected plugin’s capabilities.

Attack Chain

Attacker gains access to the OpenClaw workspace configuration files. This could be achieved through compromised credentials or other means of unauthorized access.
Attacker creates or modifies a .env file within the workspace.
The .env file is populated with a malicious definition of the OPENCLAW_BUNDLED_PLUGINS_DIR variable, pointing to a directory under the attacker’s control.
Attacker places a malicious plugin in the directory specified in the modified OPENCLAW_BUNDLED_PLUGINS_DIR.
OpenClaw application is launched or reloaded, parsing the .env file and setting the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable accordingly.
OpenClaw attempts to load plugins from the directory specified by the attacker-controlled OPENCLAW_BUNDLED_PLUGINS_DIR.
The malicious plugin is loaded and executed by OpenClaw, granting the attacker code execution within the application’s environment.
The attacker can now perform malicious actions such as data exfiltration or further compromise of the system.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the OpenClaw application and potentially the underlying system. An attacker could inject malicious plugins to steal sensitive data, modify application behavior, or establish persistence for future attacks. The severity of the impact depends on the permissions granted to the OpenClaw process and the capabilities of the injected plugin. The number of affected users or organizations is currently unknown.

Recommendation

Upgrade OpenClaw to version 2026.3.31 or later to remediate the vulnerability (CVE-2026-41396).
Monitor file creation and modification events for .env files within OpenClaw workspaces. Deploy the Sigma rule Detect Suspicious .env File Modification in OpenClaw Workspace to detect malicious modifications.
Implement strict access controls for OpenClaw workspace configuration files to prevent unauthorized modification.
Consider restricting the ability of the OpenClaw application to load plugins from arbitrary directories.
Implement the file integrity monitoring (FIM) of plugin directories.

Environment-Variable-Override — CraftedSignal Threat Feed

OpenClaw Arbitrary Code Execution via Environment Variable Override (CVE-2026-41336)

Attack Chain

Impact

Recommendation

OpenClaw Plugin Trust Verification Bypass via Environment Variable Override

Attack Chain

Impact

Recommendation