Vulnerability in Openclaw
CVE-2026-41330
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment…
EPSS: 0.000 (2.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.4 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.
Affected products
- Openclaw — versions 0, 2026.3.31
Weakness classification (CWE)
References
- GitHub Security Advisory (GHSA-9gp8-hjxr-6f34) (vendor-advisory)
- Patch Commit (patch)
- VulnCheck Advisory: OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy (third-party-advisory)
Frequently asked questions
- What is CVE-2026-41330?
- CVE-2026-41330 is a medium-severity vulnerability in Openclaw, classified under CWE-453. CVSS score: 4.4/10. Published 2026-04-20.
- How severe is CVE-2026-41330?
- Medium severity. CVSS v3 base score is 4.4 out of 10.