CVE-2026-43531
Published: 05 May 2026
Summary
CVE-2026-43531 is a high-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-43531, published on 2026-05-05, is an environment variable injection vulnerability (CWE-15) affecting OpenClaw versions prior to 2026.4.9. The flaw enables malicious workspace .env files to inject runtime-control variables, influencing critical components such as update sources, gateway URLs, ClawHub resolution, and browser executable paths. This compromises the application's overall behavior. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit the vulnerability by convincing a user to load a workspace containing a crafted .env file, requiring user interaction. Successful exploitation allows injection of environment variables that redirect application functions, such as update mechanisms or network resolutions, leading to high impacts on confidentiality, integrity, and availability.
Mitigation is available via the patch in OpenClaw commit dbfcef319618158fa40b31cdac386ea34c392c0c, which corresponds to version 2026.4.9 and later. Security practitioners should consult the GitHub security advisory at GHSA-7wv4-cc7p-jhxc and the Vulncheck advisory for additional details on remediation and verification steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27273
Vulnerability details
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted .env workspace file requires user interaction to load (T1204.002); injected variables directly control executable paths and update sources enabling path interception hijacking (T1574.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all inputs including .env file contents before environment variables are applied to runtime settings such as update sources or executable paths.
Enforces approved, hardened configuration settings that restrict which environment variables may influence security-relevant behavior.
Verifies integrity of configuration data and software components to detect unauthorized changes introduced via malicious .env variable injection.