Cyber Resilience

CVE-2026-41396

HighPublic PoC

Published: 28 April 2026

Published
28 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 2.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41396 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Subvert Trust Controls (T1553); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41396 is a vulnerability in OpenClaw versions prior to 2026.3.31 that allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. This flaw enables attackers with control over workspace configuration to inject malicious plugins by redirecting the bundled plugin trust root directory. The issue, published on 2026-04-28, is tracked under CWE-829 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The attack requires local access to the system and user interaction, such as loading a malicious workspace, but no privileged user rights. An attacker controlling workspace configuration can set the environment variable to point to a directory with untrusted plugins, bypassing trust checks. Successful exploitation allows execution of arbitrary malicious code via the plugins, resulting in high confidentiality, integrity, and availability impacts on the local system.

Mitigation is addressed in OpenClaw 2026.3.31 via a fix in commit 330a9f98cb29c79b1c16a2117e03d6276a0d6289, available at https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289. Further details on the vulnerability and remediation are provided in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root. Practitioners should upgrade to the patched version and validate workspace .env files to prevent overrides.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553 Subvert Trust Controls Defense Impairment
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
T1204 User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
Why these techniques?

Vulnerability bypasses plugin trust verification via .env override of plugin directory, directly enabling subverting trust controls (T1553) and hijacking execution flow for malicious plugin code execution (T1574); requires user interaction to load malicious workspace (T1204).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43571Same product: Openclaw Openclaw
CVE-2026-22217Same product: Openclaw Openclaw
CVE-2026-43569Same product: Openclaw Openclaw
CVE-2026-32920Same product: Openclaw Openclaw
CVE-2026-41295Same product: Openclaw Openclaw
CVE-2026-41355Same product: Openclaw Openclaw
CVE-2026-41336Same product: Openclaw Openclaw
CVE-2026-44995Same product: Openclaw Openclaw
CVE-2026-44114Same product: Openclaw Openclaw
CVE-2026-27646Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability by requiring installation of the vendor patch (OpenClaw 2026.3.31) that prevents .env file overrides of the plugin trust directory.

prevent

Enforces digital signature verification of plugins prior to loading or execution, ensuring only trusted components are used even if the trust root directory is overridden.

preventdetect

Provides software integrity verification mechanisms to detect and prevent execution of unauthorized or malicious plugins injected via the compromised environment variable.

References