CVE-2026-44114

HighPublic PoC

Published: 06 May 2026

Published

06 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score N/A

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer…

flows.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-8 Spam Protection

addresses: CWE-184

Spam filters rely on evolving blacklists, signatures, and heuristics of disallowed message patterns; keeping them updated per the control directly mitigates incomplete disallowed-input lists.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-184

References

https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv
disclosure@vulncheck.com