OpenClaw before 2026.3.28 contains an environment...
High severity
Unreviewed
Published
Apr 28, 2026
to the GitHub Advisory Database
•
Updated Apr 28, 2026
Description
Published by the National Vulnerability Database
Apr 28, 2026
Published to the GitHub Advisory Database
Apr 28, 2026
Last updated
Apr 28, 2026
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.
References