VIR Vulnerability Intelligence Relay

CVE-2026-41373

medium
Published 2026-04-28 · Modified 2026-05-06
CVSS v3
6.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CVSS v2
VIR risk
6.1

Description

OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides

Predictions

Exploit likelihood
61%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/security/advisories/GHSA-g8xp-qx39-9jq9

vendor Authored 2026-05-27

Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/commit/e277a37f896b5011a1df06e6490c6630074d0afa

Package impact
EcosystemPackageVulnerableFixed
npm npmopenclaw<2026.3.312026.3.31
npm NPMopenclaw<= 2026.3.282026.3.31

Application impact
VendorProductVersionsFixed
openclawopenclaw{"endExcluding":"2026.3.31"}2026.3.31

References

CWEs

CWE-427

Verify integrity in audit chain (admin only). AS-IS.