Main Vulnerability Database Vulnerabilities #VU132744

External Control of System or Configuration Setting in OpenClaw - #VU132744

Published: May 29, 2026

Vulnerability identifier: #VU132744

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-15

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to load bundled runtime dependencies from an unintended local state path.

The vulnerability exists due to improper control of environment variables in runtime dependency root resolution when opening a repository containing a crafted workspace .env file. A remote user can supply a workspace .env that sets STATE_DIRECTORY to load bundled runtime dependencies from an unintended local state path.

Exploitation requires the affected feature to be enabled and reachable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x

External Control of System or Configuration Setting in OpenClaw - #VU132744

Detailed vulnerability description

Remediation

Sources

Please verify you're human