CVE-2026-44114 Overview
CVE-2026-44114 affects OpenClaw versions before 2026.4.20. The vulnerability stems from incomplete reservation of the OPENCLAW_ runtime-control environment namespace inside workspace dotenv (.env) files. Attackers can override critical runtime variables by placing malicious entries in workspace-level configuration. A malicious workspace can set variables such as OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. The flaw is categorized under [CWE-184] Incomplete List of Disallowed Inputs and requires local access combined with user interaction to trigger.
Critical Impact
Malicious workspace .env files can hijack OpenClaw runtime variables, leading to high-confidentiality, integrity, and availability impact on the affected host during source-update or installer execution.
Affected Products
- OpenClaw versions prior to 2026.4.20
- Workspaces using untrusted dotenv (.env) configuration files
- Installer and source-update flows that consume OPENCLAW_* variables
Discovery Timeline
- 2026-05-06 - CVE-2026-44114 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-44114
Vulnerability Analysis
OpenClaw maintains a list of environment variable prefixes that workspace .env files are not permitted to set. This allowlist enforcement protects trusted runtime variables from being overridden by untrusted workspace configuration. The pre-patch list reserved specific prefixes such as OPENCLAW_CLAWHUB_, OPENCLAW_DISABLE_, and OPENCLAW_SKIP_, but did not reserve the broader OPENCLAW_ namespace itself. As a result, any new or unlisted OPENCLAW_* runtime-control variable could be set from a workspace dotenv file. An attacker who controls a workspace - through a cloned repository or shared project folder - can introduce a .env file that injects arbitrary OPENCLAW_* variables into the runtime. These variables influence trusted behaviors including source-update paths and installer logic.
Root Cause
The root cause is an incomplete denylist of reserved environment variable prefixes in src/infra/dotenv.ts. The list enumerated specific subnamespaces but failed to reserve the parent OPENCLAW_ prefix. New control variables added to the runtime were not fail-closed by default, leaving them overridable from untrusted workspace .env files.
Attack Vector
Exploitation requires an attacker to deliver a crafted workspace containing a malicious .env file. When a victim opens the workspace and triggers a source-update or installer flow, OpenClaw loads the dotenv values and applies them to its runtime environment. Setting OPENCLAW_GIT_DIR or similar variables redirects trusted operations to attacker-controlled locations.
"ANTHROPIC_API_KEY_",
"CLAWHUB_",
"OPENAI_API_KEY_",
+ // Workspace .env is untrusted; reserve the full OpenClaw runtime namespace
+ // for shell/global config so new OPENCLAW_* controls are fail-closed by default.
+ "OPENCLAW_",
"OPENCLAW_CLAWHUB_",
"OPENCLAW_DISABLE_",
"OPENCLAW_SKIP_",
Source: GitHub commit 018494f - reserve workspace OPENCLAW env namespace
Detection Methods for CVE-2026-44114
Indicators of Compromise
- Presence of .env files in untrusted workspaces containing OPENCLAW_* variable assignments
- Unexpected values for OPENCLAW_GIT_DIR or similar runtime-control variables in process environments
- Source-update or installer operations resolving to non-standard or attacker-controlled paths
Detection Strategies
- Scan repositories and shared workspaces for .env files that define keys beginning with OPENCLAW_
- Audit OpenClaw process telemetry for environment variables outside the expected baseline
- Compare installed OpenClaw versions against the patched release 2026.4.20 across developer workstations
Monitoring Recommendations
- Log child-process creation and environment variable inheritance for OpenClaw and its installer scripts
- Alert on file-write events that create .env files containing OPENCLAW_ keys in cloned repositories
- Track Git operations that target unexpected directories indicative of OPENCLAW_GIT_DIR manipulation
How to Mitigate CVE-2026-44114
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which reserves the full OPENCLAW_ namespace
- Audit existing workspaces for .env files containing any OPENCLAW_* variable definitions and remove them
- Treat all third-party or cloned workspaces as untrusted until their dotenv contents have been reviewed
Patch Information
The upstream fix is committed in src/infra/dotenv.ts and adds the OPENCLAW_ prefix to the reserved namespace list, ensuring new OPENCLAW_* runtime controls are fail-closed by default in workspace dotenv parsing. Refer to the GitHub Security Advisory GHSA-hxvm-xjvf-93f3 and the Vulncheck advisory on the OpenClaw environment variable namespace collision for full technical details.
Workarounds
- Disable workspace dotenv loading where feasible until the patched release is deployed
- Restrict the runtime environment so that OPENCLAW_* variables can only be set via shell or global configuration
- Apply repository hygiene policies that reject commits introducing .env files with reserved namespace keys
# Verify OpenClaw version and inspect workspaces for malicious dotenv entries
openclaw --version
find . -type f -name '.env' -exec grep -l '^OPENCLAW_' {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
