CVE-2026-41357

· NIST NVD ↗

OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.

LOW
CVSS severity
3.3
CVSS base score
2026-04-23
Published

CWE codes

CWE-214

Affected products

openclaw:openclaw

Sources