161 matches found
CVE-2026-42427
OpenClaw is affected (pre-2026.4.8). The vulnerability arises from missing denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS in the build environment, enabling attackers to inject hostile environment variables that influence host exec commands and achieve remo...
CVE-2026-42427 OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGOBUILDRUSTCWRAPPER, RUSTCWRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and...
CVE-2026-41915
CVE-2026-41915 affects OpenClaw prior to 2026.4.8. The vulnerability arises from failing to remove git plumbing environment variables (e.g., GIT_DIR) from the execution environment before host exec operations, allowing an attacker to set these vars to redirect git operations and potentially compr...
CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GITDIR and related variables to redirect git operations and compromise repository integrity...
CVE-2026-41384
OpenClaw prior to 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows malicious workspace configs to inject environment variables into the spawned backend process, enabling code execution or sensitive data exposure. Affected package: openclaw (...
EUVD-2026-26093
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables...
CVE-2026-41384 OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables...
CVE-2026-41384
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables...
CVE-2026-41384 OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.24 contained security vulnerabilities. These vulnerabilities stemmed from an environment variable injection vulnerability in the CLI backend runner, allowing attackers to inject...
CVE-2026-41294
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.28 contained security vulnerabilities. These vulnerabilities stemmed from loading the current working directory’s .env file before configuring the trusted state directory, which...
CVE-2026-41294
OpenClaw is affected by CVE-2026-41294: versions before 2026.3.28 load the current working directory’s .env file during startup before trusted state-dir configuration, allowing environment variable injection that can override runtime configuration and security-sensitive environment settings. The ...
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...
PT-2026-37016
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.9 Description An environment variable injection issue exists where malicious workspace .env files can set runtime-control variables. This allows attackers to inject variables that affect update sources, gatewa...
Flowise: Parameter Override Bypass Remote Command Execution
Summary Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODEOPTIONS environment variable injection. This allows for the execution of arbitrary syste...
EUVD-2026-21156
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars...
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
Impact HGRCPATH, CARGOBUILDRUSTCWRAPPER, RUSTCWRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection GHSA-cm8v-2vh9-cxf3 class. Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands. OpenClaw is a user-controlle...
PT-2026-31782
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai model, openai key, and openai base without validating that these values do not contain commas. gcloud...