QwikSec

Security Database

CVE

CWE

Training

CVE-2026-34426

Published: Apr 2, 2026

Modified: Apr 3, 2026

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.

Vendor	Product	Versions
OpenClaw	OpenClaw	affected `0 - < b57b680c0c34de907d57f60c38fb358e82aef8f7`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

References

GitHub Security Advisory (GHSA-h3x4-hc5v-v2gm)

vendor-advisory

Patch Commit #1

issue-tracking

https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7

patch

https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-environment-variable-normalization

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.