CVE-2026-41368

Published: Apr 28, 2026 Last Modified: Apr 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 6,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.

668

Exposure of Resource to Wrong Sphere

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Other

Potential Impacts:

Read Application Data Modify Application Data Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

Application

Openclaw by Openclaw

Product Information

Vendor Openclaw

Product Openclaw

Version Range Affected

To 2026.3.28 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h

https://www.vulncheck.com/advisories/openclaw-environment-v…

https://www.vulncheck.com/advisories/openclaw-environment-variable-disclosure-v…