CVE-2026-43584: OpenClaw Environment Variable Vulnerability Allows Execution Hijack
The National Vulnerability Database has detailed CVE-2026-43584, a high-severity vulnerability (CVSS 8.8) in OpenClaw before version 2026.4.10. This flaw, categorized as CWE-184 (Insufficient Denylist), stems from an inadequate environment variable denylist in OpenClaw’s exec environment policy. It permits operator-supplied overrides of critical interpreter startup variables like VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES.
Attackers can leverage this by manipulating these environment variables to directly influence downstream execution behavior within affected systems. This could lead to arbitrary code execution or network connectivity redirection, giving them significant control. The impact is severe: full compromise of confidentiality, integrity, and availability.
Defenders need to understand the attacker’s calculus here: this isn’t about exploiting a complex memory corruption bug, but rather abusing a trust boundary around environment variables. It’s a classic case of assuming inputs are safe when they are not. The ease of exploitation (low attack complexity, no user interaction required) coupled with high impact makes this a critical patch. Organizations using OpenClaw must prioritize this update immediately.
What This Means For You
- If your organization uses OpenClaw, you are exposed to a critical remote code execution vulnerability. Check your OpenClaw installations immediately and ensure they are updated to version 2026.4.10 or later. Audit any systems running OpenClaw for suspicious process execution or unusual network connections, as this vulnerability allows attackers to directly manipulate execution flow and network behavior.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43584: OpenClaw Environment Variable Override (VIMINIT/EXINIT)
title: CVE-2026-43584: OpenClaw Environment Variable Override (VIMINIT/EXINIT)
id: scw-2026-05-06-ai-1
status: experimental
level: high
description: |
Detects the exploitation of CVE-2026-43584 by OpenClaw, where attackers can override critical environment variables like VIMINIT and EXINIT via the command line to influence interpreter startup and potentially execute arbitrary code. This rule specifically looks for OpenClaw processes being launched with these environment variables set.
author: SCW Feed Engine (AI-generated)
date: 2026-05-06
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43584/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Program Files\OpenClaw\bin\'
CommandLine|contains:
- 'VIMINIT='
- 'EXINIT='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43584 | Code Injection | OpenClaw before 2026.4.10 |
| CVE-2026-43584 | Misconfiguration | Insufficient environment variable denylist in exec environment policy |
| CVE-2026-43584 | Code Injection | Vulnerable environment variables: VIMINIT, EXINIT, LUA_INIT |
| CVE-2026-43584 | Network Connectivity Manipulation | Vulnerable environment variable: HOSTALIASES |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 06, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-41484 — OpenTelemetry.Exporter.OneCollector is a .NET exporter that
CVE-2026-41484 — OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to...
CVE-2026-41483 — OpenTelemetry.Resources.Azure is the .NET resource detector
CVE-2026-41483 — OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure...
CVE-2026-41417 — Netty allows request-line validation to be bypassed when a
CVE-2026-41417 — Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`....