OpenClaw versions before 2026.4.9 contain an environment variable injection vulnerability that allows attackers to exploit malicious workspace .env files. The vulnerability enables injection of variables that control critical runtime parameters including update sources, gateway URLs, ClawHub resolution, and browser executable paths. This can lead to complete compromise of application behavior and potential system takeover. The vulnerability affects the core configuration mechanism of the OpenClaw application through malicious environment file manipulation.