CVE-2026-41339 OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot

OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.2 contained security vulnerabilities. These vulnerabilities stemmed from exposing configPath and stateDir metadata to non-administrator authenticated clients during the Gateway...

CVE-2026-41294

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...

CVE-2026-41294

OpenClaw is affected by CVE-2026-41294: versions before 2026.3.28 load the current working directory’s .env file during startup before trusted state-dir configuration, allowing environment variable injection that can override runtime configuration and security-sensitive environment settings. The ...