Incomplete List of Disallowed Inputs in OpenClaw - #VU135904

 

Incomplete List of Disallowed Inputs in OpenClaw - #VU135904

Published: June 30, 2026


Vulnerability identifier: #VU135904
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-184
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to incomplete list of disallowed inputs in the workspace dotenv file handling when processing a configured input path. A remote attacker can provide a specially crafted workspace dotenv file to disclose sensitive information.

Only instances where the affected feature is enabled and reachable are vulnerable, and user interaction is required.


Remediation

Install security update from vendor's website.

Sources