Cyber Resilience

CVE-2026-41387

HighPublic PoC

Published: 28 April 2026

Published
28 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41387 is a high-severity Permissive List of Allowed Inputs (CWE-183) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-41387 is an incomplete host environment variable sanitization vulnerability affecting OpenClaw versions before 2026.3.22. The issue resides in the files host-env-security-policy.json and host-env-security.ts, which fail to properly prevent package-manager environment overrides. Published on 2026-04-28, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-183.

A local attacker can exploit the vulnerability through approved exec requests, redirecting package resolution or runtime bootstrap processes to attacker-controlled infrastructure. This enables the execution of trojanized content, potentially compromising confidentiality, integrity, and availability with high impact. Exploitation requires user interaction but no special privileges.

Mitigation guidance is provided in the official OpenClaw security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-j7p2-qcwm-94v4 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-supply-chain-redirection-via-incomplete-host-environment-sanitization. Upgrading to OpenClaw 2026.3.22 or later addresses the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The vulnerability enables redirection of package resolution and runtime bootstrap to attacker-controlled infrastructure via incomplete environment variable sanitization, directly facilitating supply chain compromise by allowing execution of trojanized dependencies or software.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43569Same product: Openclaw Openclaw
CVE-2026-42428Same product: Openclaw Openclaw
CVE-2026-27646Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-42431Same product: Openclaw Openclaw
CVE-2026-27523Same product: Openclaw Openclaw
CVE-2026-28463Same product: Openclaw Openclaw
CVE-2026-41394Same product: Openclaw Openclaw
CVE-2026-43573Same product: Openclaw Openclaw
CVE-2026-22179Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies the authenticity of software components to prevent redirection of package resolution to attacker-controlled infrastructure serving trojanized content.

prevent

Enforces validation of information inputs such as environment variables to block incomplete sanitization allowing package-manager overrides.

preventdetect

Performs integrity verification of software and firmware to detect and prevent execution of trojanized content introduced via runtime bootstrap redirection.

References