CVE-2026-34426 MEDIUM

CVE-2026-34426: OpenClaw - Approval Bypass via Environment Variable Normalization

Vendor Openclaw
Product OpenClaw
Weakness CWE-184
Published April 2, 2026
Last update April 3, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.

Key dates

02Disclosure timeline

April 2, 2026 CVE published
April 3, 2026 Record updated