CVE-2026-41396
Published: 28 April 2026
Summary
CVE-2026-41396 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Subvert Trust Controls (T1553); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the vulnerability by requiring installation of the vendor patch (OpenClaw 2026.3.31) that prevents .env file overrides of the plugin trust directory.
Enforces digital signature verification of plugins prior to loading or execution, ensuring only trusted components are used even if the trust root directory is overridden.
Provides software integrity verification mechanisms to detect and prevent execution of unauthorized or malicious plugins injected via the compromised environment variable.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability bypasses plugin trust verification via .env override of plugin directory, directly enabling subverting trust controls (T1553) and hijacking execution flow for malicious plugin code execution (T1574); requires user interaction to load malicious workspace (T1204).
NVD Description
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory.
Deeper analysisAI
CVE-2026-41396 is a vulnerability in OpenClaw versions prior to 2026.3.31 that allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. This flaw enables attackers with control over workspace configuration to inject malicious plugins by redirecting the bundled plugin trust root directory. The issue, published on 2026-04-28, is tracked under CWE-829 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The attack requires local access to the system and user interaction, such as loading a malicious workspace, but no privileged user rights. An attacker controlling workspace configuration can set the environment variable to point to a directory with untrusted plugins, bypassing trust checks. Successful exploitation allows execution of arbitrary malicious code via the plugins, resulting in high confidentiality, integrity, and availability impacts on the local system.
Mitigation is addressed in OpenClaw 2026.3.31 via a fix in commit 330a9f98cb29c79b1c16a2117e03d6276a0d6289, available at https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289. Further details on the vulnerability and remediation are provided in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root. Practitioners should upgrade to the patched version and validate workspace .env files to prevent overrides.
Details
- CWE(s)