Cyber Resilience

CVE-2026-43531

HighPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 10.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-43531 is a high-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-43531, published on 2026-05-05, is an environment variable injection vulnerability (CWE-15) affecting OpenClaw versions prior to 2026.4.9. The flaw enables malicious workspace .env files to inject runtime-control variables, influencing critical components such as update sources, gateway URLs, ClawHub resolution, and browser executable paths. This compromises the application's overall behavior. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit the vulnerability by convincing a user to load a workspace containing a crafted .env file, requiring user interaction. Successful exploitation allows injection of environment variables that redirect application functions, such as update mechanisms or network resolutions, leading to high impacts on confidentiality, integrity, and availability.

Mitigation is available via the patch in OpenClaw commit dbfcef319618158fa40b31cdac386ea34c392c0c, which corresponds to version 2026.4.9 and later. Security practitioners should consult the GitHub security advisory at GHSA-7wv4-cc7p-jhxc and the Vulncheck advisory for additional details on remediation and verification steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1574.007 Path Interception by PATH Environment Variable Stealth
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
Why these techniques?

Crafted .env workspace file requires user interaction to load (T1204.002); injected variables directly control executable paths and update sources enabling path interception hijacking (T1574.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41384Same product: Openclaw Openclaw
CVE-2026-41294Same product: Openclaw Openclaw
CVE-2026-35650Same product: Openclaw Openclaw
CVE-2026-22177Same product: Openclaw Openclaw
CVE-2026-29610Same product: Openclaw Openclaw
CVE-2026-28447Same product: Openclaw Openclaw
CVE-2026-32920Same product: Openclaw Openclaw
CVE-2026-41295Same product: Openclaw Openclaw
CVE-2026-41336Same product: Openclaw Openclaw
CVE-2026-42428Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all inputs including .env file contents before environment variables are applied to runtime settings such as update sources or executable paths.

prevent

Enforces approved, hardened configuration settings that restrict which environment variables may influence security-relevant behavior.

detect

Verifies integrity of configuration data and software components to detect unauthorized changes introduced via malicious .env variable injection.

References