Lucene search
K

5 matches found

NVD
NVD
added 2026/04/28 7:37 p.m.9 views

CVE-2026-41373

OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGOBUILDRUSTC, and CMAKECCOMPILER via environment overrides. Attackers with approved host-exec requests c...

6.1CVSS0.0013EPSS
Exploits0References3
CVE
CVE
added 2026/04/28 6:9 p.m.26 views

CVE-2026-41373

OpenClaw vulnerable before 2026.3.31 due to an incomplete host-env-security-policy.json that does not restrict compiler environment variables. This allows untrusted models to substitute compiler binaries (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) via environment overrides when an approved hos...

6.1CVSS5.8AI score0.0013EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/04/28 12:0 a.m.12 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from incomplete host environment variable cleanup mechanisms in the host-env-security-policy.json and...

8.5CVSS5.9AI score0.00241EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/03 3:0 a.m.38 views

OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides

Summary Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries CC, CXX, CARGOBUILDRUSTC, CMAKECCOMPILER via env overrides on approved host exec requests Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3....

6.1CVSS5.9AI score0.0013EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/02/27 9:36 p.m.3 views

GHSA-82G8-464F-2MV7 OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence...

5.1CVSS5.9AI score0.00316EPSS
Exploits0References5
Rows per page
Query Builder