Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44114

CVE-2026-44114: OpenClaw RCE Vulnerability

CVE-2026-44114 is a remote code execution flaw in OpenClaw that allows attackers to override critical runtime variables through workspace dotenv files. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-44114 Overview

CVE-2026-44114 affects OpenClaw versions before 2026.4.20. The vulnerability stems from incomplete reservation of the OPENCLAW_ runtime-control environment namespace inside workspace dotenv (.env) files. Attackers can override critical runtime variables by placing malicious entries in workspace-level configuration. A malicious workspace can set variables such as OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. The flaw is categorized under [CWE-184] Incomplete List of Disallowed Inputs and requires local access combined with user interaction to trigger.

Critical Impact

Malicious workspace .env files can hijack OpenClaw runtime variables, leading to high-confidentiality, integrity, and availability impact on the affected host during source-update or installer execution.

Affected Products

  • OpenClaw versions prior to 2026.4.20
  • Workspaces using untrusted dotenv (.env) configuration files
  • Installer and source-update flows that consume OPENCLAW_* variables

Discovery Timeline

  • 2026-05-06 - CVE-2026-44114 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-44114

Vulnerability Analysis

OpenClaw maintains a list of environment variable prefixes that workspace .env files are not permitted to set. This allowlist enforcement protects trusted runtime variables from being overridden by untrusted workspace configuration. The pre-patch list reserved specific prefixes such as OPENCLAW_CLAWHUB_, OPENCLAW_DISABLE_, and OPENCLAW_SKIP_, but did not reserve the broader OPENCLAW_ namespace itself. As a result, any new or unlisted OPENCLAW_* runtime-control variable could be set from a workspace dotenv file. An attacker who controls a workspace - through a cloned repository or shared project folder - can introduce a .env file that injects arbitrary OPENCLAW_* variables into the runtime. These variables influence trusted behaviors including source-update paths and installer logic.

Root Cause

The root cause is an incomplete denylist of reserved environment variable prefixes in src/infra/dotenv.ts. The list enumerated specific subnamespaces but failed to reserve the parent OPENCLAW_ prefix. New control variables added to the runtime were not fail-closed by default, leaving them overridable from untrusted workspace .env files.

Attack Vector

Exploitation requires an attacker to deliver a crafted workspace containing a malicious .env file. When a victim opens the workspace and triggers a source-update or installer flow, OpenClaw loads the dotenv values and applies them to its runtime environment. Setting OPENCLAW_GIT_DIR or similar variables redirects trusted operations to attacker-controlled locations.

typescript
   "ANTHROPIC_API_KEY_",
   "CLAWHUB_",
   "OPENAI_API_KEY_",
+  // Workspace .env is untrusted; reserve the full OpenClaw runtime namespace
+  // for shell/global config so new OPENCLAW_* controls are fail-closed by default.
+  "OPENCLAW_",
   "OPENCLAW_CLAWHUB_",
   "OPENCLAW_DISABLE_",
   "OPENCLAW_SKIP_",

Source: GitHub commit 018494f - reserve workspace OPENCLAW env namespace

Detection Methods for CVE-2026-44114

Indicators of Compromise

  • Presence of .env files in untrusted workspaces containing OPENCLAW_* variable assignments
  • Unexpected values for OPENCLAW_GIT_DIR or similar runtime-control variables in process environments
  • Source-update or installer operations resolving to non-standard or attacker-controlled paths

Detection Strategies

  • Scan repositories and shared workspaces for .env files that define keys beginning with OPENCLAW_
  • Audit OpenClaw process telemetry for environment variables outside the expected baseline
  • Compare installed OpenClaw versions against the patched release 2026.4.20 across developer workstations

Monitoring Recommendations

  • Log child-process creation and environment variable inheritance for OpenClaw and its installer scripts
  • Alert on file-write events that create .env files containing OPENCLAW_ keys in cloned repositories
  • Track Git operations that target unexpected directories indicative of OPENCLAW_GIT_DIR manipulation

How to Mitigate CVE-2026-44114

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.4.20 or later, which reserves the full OPENCLAW_ namespace
  • Audit existing workspaces for .env files containing any OPENCLAW_* variable definitions and remove them
  • Treat all third-party or cloned workspaces as untrusted until their dotenv contents have been reviewed

Patch Information

The upstream fix is committed in src/infra/dotenv.ts and adds the OPENCLAW_ prefix to the reserved namespace list, ensuring new OPENCLAW_* runtime controls are fail-closed by default in workspace dotenv parsing. Refer to the GitHub Security Advisory GHSA-hxvm-xjvf-93f3 and the Vulncheck advisory on the OpenClaw environment variable namespace collision for full technical details.

Workarounds

  • Disable workspace dotenv loading where feasible until the patched release is deployed
  • Restrict the runtime environment so that OPENCLAW_* variables can only be set via shell or global configuration
  • Apply repository hygiene policies that reject commits introducing .env files with reserved namespace keys
bash
# Verify OpenClaw version and inspect workspaces for malicious dotenv entries
openclaw --version
find . -type f -name '.env' -exec grep -l '^OPENCLAW_' {} \;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.