Incomplete List of Disallowed Inputs in OpenClaw - CVE-2026-41369

 

Incomplete List of Disallowed Inputs in OpenClaw - CVE-2026-41369

Published: April 30, 2026


Vulnerability identifier: #VU128623
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41369
CWE-ID: CWE-184
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to influence host execution behavior.

The vulnerability exists due to an incomplete list of disallowed inputs in the host exec environment sanitization policy when processing environment variables for host execution. A remote user can set package, registry, Docker, compiler, or TLS override variables to influence host execution behavior.


How to mitigate CVE-2026-41369

Install security update from vendor's website.

Sources