CVE-2026-41336

· NIST NVD ↗

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.

HIGH
CVSS severity
7.8
CVSS base score
2026-04-23
Published

CWE codes

CWE-829

Affected products

openclaw:openclaw

Sources