OpenClaw: Workspace dotenv could override runtime-control environment variables

GHSA-hxvm-xjvf-93f3 · CVE-2026-44114

Published Apr 25, 2026 · Modified May 12, 2026

Description

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: < 2026.4.20
Patched version: 2026.4.20

Impact

Workspace .env loading did not reserve the OPENCLAW_ runtime-control namespace broadly enough. A malicious workspace could set variables such as OPENCLAW_GIT_DIR before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior.

This requires running OpenClaw from an attacker-controlled workspace. Severity is medium.

Fix

OpenClaw now reserves the workspace OPENCLAW_ environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables.

Fix commit:

018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6

Release

Fixed in OpenClaw 2026.4.20.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44114
WEB https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6
PACKAGE https://github.com/openclaw/openclaw
WEB https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes