OpenClaw: Workspace dotenv could override runtime-control environment variables — CVE-2026-44114
GitHub · GitHub · CVE-2026-44114
ID
CVE-2026-44114
CVE-2026-44114
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.5
8.5
EPSS
0.00022
0.00022
Summary
## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior. This requires…
Product
npm: openclaw
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.