CVE-2026-41336

Published April 23rd, 2026

View on NVD ↗

CVSS v3

7.8

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.

openclaw/openclaw

Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞

GitHub

380K