NVIDIA NeMoClaw Vulnerability Exposes Host Environment Variables
The National Vulnerability Database has detailed CVE-2026-24222, a high-severity vulnerability affecting NVIDIA NeMoClaw. The flaw resides within the sandbox environment’s initialization component. A remote attacker can exploit this by sending prompt-injected content, enabling the agent to bypass intended restrictions and read host environment variables.
This misconfiguration during sandbox creation, categorized as CWE-497 (Exposure of Sensitive Information Through Environmental Variables), directly leads to information disclosure. The CVSS score for this vulnerability is 8.6, indicating a significant risk, particularly given its network attack vector and low attack complexity.
While specific affected products are not detailed by the National Vulnerability Database, organizations utilizing NVIDIA NeMoClaw should prioritize evaluating their deployments. The attacker’s calculus here is straightforward: leverage a compromised prompt to extract valuable configuration data, laying groundwork for further exploitation or lateral movement. Defenders must ensure sandboxes are robustly configured to prevent any unauthorized access to host-level secrets.
What This Means For You
- If your organization uses NVIDIA NeMoClaw, you must immediately review your sandbox configurations. Ensure strict controls are in place to prevent prompt injection from accessing host environment variables. This isn't just a theoretical issue; it's a direct path to sensitive information disclosure, which attackers will absolutely weaponize.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-24222 - NVIDIA NeMoClaw Host Environment Variable Exfiltration via Prompt Injection
title: CVE-2026-24222 - NVIDIA NeMoClaw Host Environment Variable Exfiltration via Prompt Injection
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-24222 by looking for common Python environment variable access functions within the query parameters of a NeMoClaw API endpoint, indicating potential exfiltration of host environment variables through prompt injection.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-24222/
tags:
- attack.discovery
- attack.t1039
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'os.environ'
- 'getenv'
cs-uri|contains:
- '/v1/chat/completions'
cs-method: 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-24222 | Information Disclosure | NVIDIA NeMoClaw sandbox environment initialization component |
| CVE-2026-24222 | Improper Access Control | Prompt-injected content causing agent to read/exfiltrate host environment variables |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 22:36 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-28
80 vulnerability disclosures (20 Critical, 60 High) and 25 curated intelligence stories from 9 sources.
CVE-2026-42431: OpenClaw Vulnerability Allows Persistent Browser Profile Mutation
CVE-2026-42431 — OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to...
OpenClaw CVE-2026-42426: Improper Authorization Allows Node Pairing Bypass
CVE-2026-42426 — OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged...