Lucene search
K

5 matches found

NVD
NVD
added 2026/04/21 12:16 a.m.7 views

CVE-2026-41294

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...

8.6CVSS0.0013EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.9 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.28 contained security vulnerabilities. These vulnerabilities stemmed from loading the current working directory’s .env file before configuring the trusted state directory, which...

8.6CVSS5.8AI score0.0013EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/20 11:8 p.m.34 views

CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...

8.6CVSS0.0013EPSS
Exploits0References2
OSV
OSV
added 2026/04/01 12:2 a.m.2 views

GHSA-8RH7-6779-CJQQ OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover

Summary OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values. Impact A repository or workspace containing a malicious .env file could override runtime configuration and security-sensitive...

9.6CVSS5.9AI score0.0013EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.6 views

PT-2026-33861

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description An environment variable injection issue occurs because the software loads the .env file from the current working directory before the trusted state-dir configuration. This allows untrusted...

9.6CVSS5.7AI score0.0013EPSS
Exploits0References14
Rows per page
Query Builder