CVE-2026-41332

· NIST NVD ↗

OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.

MEDIUM
CVSS severity
5.3
CVSS base score
2026-04-23
Published

CWE codes

CWE-184

Affected products

openclaw:openclaw

Sources