OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.

AI Analysis

Insufficient environment variable denylist vulnerability in exec environment policy

Basic Information

ID CVE-2026-43584

Source VulnCheck

Published May 6, 2026 at 19:49

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-184

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor OpenClaw

Product OpenClaw

Version < 2026.4.10

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.",
    "published": "2026-05-06T19:49:26.146Z",
    "modified": "2026-05-06T19:49:26.146Z",
    "type": "cve",
    "title": "OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5\nhttps://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140\nhttps://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy",
    "id": "CVE-2026-43584",
    "bulletinFamily": "",
    "cwe": [
        "CWE-184"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "Insufficient environment variable denylist vulnerability in exec environment policy",
    "ai_severity": "High",
    "ai_vendor": "OpenClaw",
    "ai_product": "OpenClaw",
    "ai_version": "< 2026.4.10",
    "ai_score": 8.7
}

OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy_CVE-2026-43584