2 matches found
CVE-2026-43531
OpenClaw is vulnerable prior to version 2026.4.9 due to an environment variable injection flaw that allows malicious workspace .env files to set runtime-control variables. This can alter update sources, gateway URLs, ClawHub resolution, and browser executable paths, potentially changing applicati...
GHSA-3QPV-XF3V-MM45 OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code
Summary Workspace .env can override the bundled hooks root and load attacker hook code Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAWBUNDLEDHOOKSDIR, which can replace trusted default-on bundled hooks from ...