top of page
perceptive_background_267k.jpg

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification.…

Published:

27 april 2026 om 22:00:00

Alert date:

28 april 2026 om 20:08:59

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Security Tools

CVE-2026-41396 affects OpenClaw versions before 2026.3.31, allowing workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable. This vulnerability compromises plugin trust verification mechanisms. Attackers who can control workspace configuration files can exploit this to inject malicious plugins by overriding the bundled plugin trust root directory. The vulnerability represents a significant supply chain security risk as it allows bypassing security controls intended to verify plugin authenticity and trustworthiness.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41396
https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289
https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8
https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page