CVE-2026-41357 LOW

CVE-2026-41357: OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends

Vendor Openclaw
Product OpenClaw
Weakness CWE-214
Published April 23, 2026
Last update April 24, 2026

CVSS base score

2.0/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 24, 2026 Record updated