Intelligence
highVulnerabilityActive

OpenClaw CWD .env Loading Order Vulnerability - Environment Variable Injection via Untrusted Workspace State

OpenClaw loads `.env` files from the current working directory before applying trusted state-dir configuration, allowing attackers to inject malicious environment variables through repository-committed or workspace files. This bypasses intended host environment isolation policies and enables configuration/security setting override.

S
Sebastion

Affected

OpenClaw <= 2026.3.24

Vulnerability Description

OpenClaw contains a dotenv loading order vulnerability classified as CWE-426 (Untrusted Search Path) and CWE-427 (Uncontrolled Search Path Element). The root cause is that the application loads environment variables from .env files in the current working directory (CWD) before consulting trusted configuration from the designated state directory. This violates the principle of least privilege and secure configuration hierarchy. The impact is severe: any user or automated system invoking OpenClaw from a repository containing a malicious .env file will have their runtime configuration and security-sensitive environment variables overridden by untrusted workspace state, potentially leading to credential exposure, privilege escalation, or lateral movement.

PoC Significance

This vulnerability is particularly dangerous because:

  • Ease of exploitation: Requires only committing a .env file to a repository (no code execution needed initially)
  • Silent nature: Developers typically do not inspect .env files for malicious content
  • Supply chain risk: Affects anyone cloning or working in the compromised repository
  • Preconditions are minimal: Only requires the victim to run OpenClaw in a directory containing the malicious .env
  • Reliability: The loading order is deterministic, making exploitation highly reliable across versions <= 2026.3.24

Detection Guidance

Log Indicators:

  • Monitor for unexpected environment variable assignments originating from CWD .env sources
  • Track discrepancies between intended configuration (state-dir) and runtime behavior
  • Alert on suspicious environment variables being read before state-dir initialization

File-based Detection:

  • Scan repositories for .env files containing suspicious keys (API tokens, passwords, paths to executables, etc.)
  • Implement pre-commit hooks to flag .env files for review
  • Use SAST tools to detect OpenClaw initialization without dotenv filtering

Configuration Audit:

  • Verify OpenClaw startup logs show state-dir configuration taking precedence
  • Compare active environment variables against approved configuration sources

Mitigation Steps

  1. Immediate: Upgrade to OpenClaw >= 2026.3.28 (commit 6a79324802)
  2. Workaround (if upgrade delayed): Remove or move .env files from CWD before invoking OpenClaw; use only state-dir configuration
  3. Configuration governance: Enforce dotenv loading order via linting rules in CI/CD
  4. Repository hygiene: Audit all existing .env files in repositories for suspicious content
  5. Defense-in-depth: Implement environment variable allowlisting and deny unexpected values at startup

Risk Assessment

Likelihood of exploitation: Medium-to-High. This vulnerability requires minimal effort to exploit and is discoverable through basic code review. Threat actors targeting development environments or supply chains would find this attractive.

Threat actor interest: High for:

  • Supply chain compromises targeting downstream users
  • Repository infiltration attacks
  • Credential harvesting from development environments
  • CI/CD pipeline poisoning

Urgency: Critical. All instances of OpenClaw <= 2026.3.24 should be treated as potentially compromised if used in shared or untrusted repositories.

Sources

pocenvironment-variable-injectionpath-traversal-adjacentconfiguration-tamperinguntrusted-inputdotenv-loading-orderworkspace-security
Back to intelligence