EUVD-2026-29140

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODEOPTIONS, LDPRELOAD, or BASHENV to spawne...

GHSA-P3M6-JR2H-HHXJ Duplicate Advisory: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mj59-h3q9-ghfh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server...

CVE-2026-44995

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODEOPTIONS, LDPRELOAD, or BASHENV to spawne...

PT-2026-39684

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE OPTIONS, LD PRELOAD, or BASH ENV to...

CVE-2026-43584

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUAINIT, and HOSTALIASES. Attackers can exploit this by...

Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfp4-8x56-j7c5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environmen...

CVE-2026-43584

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUAINIT, and HOSTALIASES. Attackers can exploit this by...

CVE-2026-43584

OpenClaw prior to version 2026.4.10 is affected by an insufficient environment variable denylist in the exec policy. This vulnerability allows operator-supplied overrides of high-risk interpreter startup variables (VIMINIT, EXINIT, LUA_INIT, HOSTALIASES), enabling manipulation of downstream execu...

CVE-2026-43584 OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUAINIT, and HOSTALIASES. Attackers can exploit this by...

PT-2026-38239

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.10 Description An insufficient environment variable denylist in the exec environment policy allows operator-supplied overrides of high-risk interpreter startup variables. Specifically, the variables VIMINIT,...

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

Summary Exec environment denylist missed high-risk interpreter startup variables. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The exec environment policy missed interpreter startup variables such as VIMINIT, EXINIT, LUAINIT, and...