OpenClaw versions before 2026.3.28 contain a vulnerability where the application loads .env files from the current working directory before loading trusted state-dir configuration. This allows attackers to perform environment variable injection by placing malicious .env files in repositories or workspaces. The vulnerability enables attackers to override runtime configuration and security-sensitive environment settings during OpenClaw startup, potentially compromising the application's security posture.