Lucene search
+L

116 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/27 11:24 p.m.4 views

CVE-2026-41369

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system...

7.1CVSS5.5AI score0.00307EPSS
Exploits0References4
OSV
OSV
added 2026/04/27 11:24 p.m.3 views

CVE-2026-41369 OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system...

7.1CVSS6.1AI score0.00307EPSS
Exploits0References5
CVE
CVE
added 2026/04/27 11:24 p.m.30 views

CVE-2026-41369

OpenClaw prior to 2026.3.31 is affected by insufficient environment variable sanitization in host execution paths. The vulnerability concerns the sanitization of environment variables related to packages, registries, Docker, compilers, and TLS overrides, allowing an attacker to inject malicious v...

7.1CVSS5.5AI score0.00307EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/27 11:24 p.m.8 views

EUVD-2026-25949

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system...

7.1CVSS5.5AI score0.00307EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/27 11:24 p.m.40 views

CVE-2026-41369 OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system...

7.1CVSS0.00307EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.11 views

PT-2026-35557

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system...

7.1CVSS5.5AI score0.00307EPSS
Exploits0References4
CVE
CVE
added 2026/04/23 12:47 a.m.46 views

CVE-2026-41208

The CVE affects Paperclip server (@paperclipai/server) prior to 2026.416.0. A privilege escalation exists where an attacker with an Agent API key can modify adapterConfig via /agents/:id, specifically workspaceStrategy.provisionCommand, which is later executed by the server runtime. This allows i...

8.8CVSS6.8AI score0.00591EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2026/04/21 12:16 a.m.7 views

CVE-2026-41303

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending hos...

8.8CVSS0.00407EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.13 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities were caused by an issue with environment variable overrides in the host execution policy, which could allow attacker...

4.4CVSS5.9AI score0.00124EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.11 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.28 contained security vulnerabilities. These vulnerabilities stemmed from unauthorized authorization in Discord’s text approval commands, allowing unauthorized users to bypass t...

8.8CVSS5.9AI score0.00407EPSS
Exploits1References1
OSV
OSV
added 2026/04/20 11:8 p.m.3 views

CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification,...

2CVSS6AI score0.00124EPSS
Exploits0References5
CVE
CVE
added 2026/04/20 11:8 p.m.23 views

CVE-2026-41303

OpenClaw before 2026.3.28 contains an authorization bypass in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Specifically, the channels.discord.execApprovals.approvers allowlist can be bypassed by using Discord text commands to approve pending host exe...

8.8CVSS6AI score0.00407EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/20 11:8 p.m.7 views

EUVD-2026-24014

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending hos...

8.8CVSS6AI score0.00407EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/09 5:37 p.m.8 views

OpenClaw Host-Exec Environment Variable Injection

Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant servic...

5.9AI score
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/07 11:17 p.m.4 views

EUVD-2026-19996

An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x8664 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virti...

8.7CVSS6.6AI score0.00208EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/03 3:0 a.m.7 views

Uncontrolled Search Path Element

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Uncontrolled Search Path Element via environment variable overrides of compiler binaries during approved host execution requests. An attacker can execute arbitrary code by substituting...

7.3CVSS6.3AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/03 3:0 a.m.44 views

OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides

Summary Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries CC, CXX, CARGOBUILDRUSTC, CMAKECCOMPILER via env overrides on approved host exec requests Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3....

6.1CVSS5.9AI score0.0013EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/03 2:57 a.m.4 views

GHSA-9GP8-HJXR-6F34 OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Summary Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on...

4.8CVSS5.9AI score0.00124EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/03 2:57 a.m.6 views

OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Summary Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on...

4.4CVSS5.9AI score0.00124EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.9 views

CVE-2026-29608

OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text...

6.7CVSS6.1AI score0.0013EPSS
Exploits0References1
Rows per page
Query Builder