Incomplete List of Disallowed Inputs in OpenClaw - CVE-2026-41369
Published: April 30, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to influence host execution behavior.
The vulnerability exists due to an incomplete list of disallowed inputs in the host exec environment sanitization policy when processing environment variables for host execution. A remote user can set package, registry, Docker, compiler, or TLS override variables to influence host execution behavior.