Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to dashboard
clawsmith.com/signal/cve-2026-41294-env-var-injection-cvss-8-6
IssueWide OpenVulnerabilityLive

CVE-2026-41294: OpenClaw .env File Injection Overrides Security Config (CVSS 8.6)

Published April 21, 2026. High-severity env var injection: OpenClaw loads .env from CWD before trusted state-dir config, letting attackers override security-sensitive runtime settings. CVSS 8.6. No authentication required to trigger. Fixed in v2026.3.28+. Advisory: GHSA-8fmp-37rc-p5g7.

Product Idea from this Signal

A background service that scans every directory OpenClaw opens for malicious .env files, poisoned configs, and environment variable injection payloads before the agent loads them

CVE-2026-41294 (CVSS 8.6) proved that a single .env file in the wrong directory can override OpenClaw security settings during startup. The attack surface is broad: any git clone, any downloaded project, any shared workspace could contain a weaponized .env. OpenClaw loads env vars from the current working directory before establishing its trusted configuration. This tool runs as a pre-flight scan before OpenClaw starts, checking every .env file in the workspace chain for suspicious overrides, known injection patterns, and variables that should never come from untrusted sources.

CLIOPEN-SOURCESECURITYDEVTOOL
CompetitiveView Opportunity →

Social Proof 1 sources

GH
CVE-2026-41294: Env Var Injection via Malicious .env File (CVSS 8.6)
4/21/2026
0

Frequently Asked Questions

Virality Score
0
across 1 platforms
Details
Signalissue
EcosystemVulnerability
Sources1
Platforms1
Updated8h ago
Trend→ stable
Top ideas
All ideas →
26.1MA pre-publish scanner that strips source maps, secrets, and internal code from npm packages before they ship to the registry2.2MA routing middleware that pairs an expensive advisor model with a cheap executor model for OpenClaw agents, cutting API costs by 80% while maintaining output quality892.2KA web dashboard that finds revenue gaps and saturated niches across 180+ OpenClaw startups in real time
Related signals
All signals →
93KAgents of Chaos: 38 Researchers Deploy 6 OpenClaw Agents — 11 Critical Failure Patterns in 14 Days35.7KCapability Evolver — #1 ClawHub Skill (35K Downloads) Caught Exfiltrating Data to ByteDance Feishu13.3KIronClaw: NEAR AI Rust OpenClaw Rewrite — WASM Sandbox, LLM Never Touches Secrets (11.3K Stars)