CVE-2026-41294

creationtimestamp| type| source ---|---|--- 2026-04-21 01:07:55+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjxs7s6hh52c 2026-04-21 01:18:26+00:00| published-proof-of-concept| Telegram/Ww620GgPpyXrrMPbpNwPksYQUctI-RNYBJrVLxtJIutZ-I 2026-04-27 23:07:07+00:00| seen|...

CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...

CVE-2026-41294

OpenClaw is affected by CVE-2026-41294: versions before 2026.3.28 load the current working directory’s .env file during startup before trusted state-dir configuration, allowing environment variable injection that can override runtime configuration and security-sensitive environment settings. The ...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +11 more potentially affected by CVE-2026-41294 via openclaw (>=2026.3.22 <=2026.3.24)

openclaw NPM version =2026.3.22, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 Source cves: CVE-2026-41294 Source advisory: SNYK:JS-OPENCLAW-15864960...