Incomplete List of Disallowed Inputs in OpenClaw - #VU135904
Published: June 30, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to incomplete list of disallowed inputs in the workspace dotenv file handling when processing a configured input path. A remote attacker can provide a specially crafted workspace dotenv file to disclose sensitive information.
Only instances where the affected feature is enabled and reachable are vulnerable, and user interaction is required.