OpenClaw before version 2026.4.9 contains an environment variable injection vulnerability that allows attackers to manipulate runtime-control variables through malicious workspace .env files. The vulnerability enables attackers to inject variables that can affect critical application components including update sources, gateway URLs, ClawHub resolution, and browser executable paths. This can lead to compromise of application behavior and potentially allow attackers to redirect the application to malicious sources or execute arbitrary code through browser path manipulation. The vulnerability has been assigned CVE-2026-43531 and affects all versions of OpenClaw prior to 2026.4.9.