CVE-2026-59261: OpenClaw: dotenv override leaks provider credentials

HIGH
Published July 8, 2026
CISO Take

OpenClaw, an AI agent framework, will silently let a workspace-level .env file override provider API credentials that should stay locked to the trusted configuration, letting anyone with write access to an input path — a shared repo, a cloned project, a mounted directory — capture or redirect secrets used for LLM provider calls. There's no evidence of active exploitation: it isn't in CISA KEV, no EPSS score or public exploit/scanner template exists yet, and downstream dependent counts aren't tracked for this package, so blast radius is hard to size precisely — but the local, no-privileges-required attack path (CVSS 7.1) makes it a realistic insider/supply-chain risk wherever OpenClaw agents process third-party or team-shared directories. Any organization running OpenClaw against shared codebases, contractor deliverables, or CI checkouts should treat workspace .env files as untrusted input by default. Patch to OpenClaw 2026.5.28 or later immediately, and until then audit and strip .env files from any workspace before pointing an agent at it, rotate provider API keys if untrusted workspaces have already been processed, and alert on outbound calls to unexpected provider endpoints.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

CVSS 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) reflects a low-complexity, no-privilege attack that only needs a victim to open or run a tainted workspace — a routine action for anyone using an AI coding agent on external or team-shared code. Confidentiality and integrity impact are both high (credential exposure and override of trusted config), while availability is unaffected. No KEV listing, EPSS score, public exploit, or Nuclei template exists, so mass automated exploitation is unlikely near-term; this reads as a targeted/insider or workspace-poisoning risk rather than an internet-scanning one. The risk scales with how many teams point OpenClaw at repos, PRs, or directories they don't fully trust.

How does the attack unfold?

Plant malicious workspace config
Attacker with lower-trust access to a configured input path (shared repo, cloned project, mounted directory) drops a .env file defining values that shadow provider credential variables.
AML.T0081
Victim triggers agent on tainted workspace
Victim runs OpenClaw against the workspace, and the loader merges the untrusted dotenv into the agent's configuration without blocking credential-key overrides.
AML.T0083
Credential exposure
Overridden values expose the real provider credentials or redirect API calls to attacker-controlled infrastructure, handing the attacker usable secrets.
AML.T0055
Downstream abuse
Attacker uses the captured or redirected credentials to access the LLM provider under the victim's identity, enabling further data access or cost/abuse impact.
AML.T0106

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A None

What should I do?

1 step
  1. Upgrade to OpenClaw 2026.5.28 or later, which fixes the dotenv trust boundary. Until patched: never point OpenClaw at untrusted or third-party workspaces/repos with credential loading enabled; explicitly strip or allowlist .env files before an agent processes an input path; run the agent with scoped, least-privilege provider API keys inside an isolated sandbox/container so a leaked key has minimal reach; rotate any provider credentials that may already have been exposed to untrusted workspaces; add detection for agent egress to unexpected provider hostnames/base URLs; and add CI checks that reject committed .env files in externally-contributed branches.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - Security of AI system operations
NIST AI RMF
MANAGE 4.1 - Risk treatment and third-party/supply chain risk
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-59261?

OpenClaw, an AI agent framework, will silently let a workspace-level .env file override provider API credentials that should stay locked to the trusted configuration, letting anyone with write access to an input path — a shared repo, a cloned project, a mounted directory — capture or redirect secrets used for LLM provider calls. There's no evidence of active exploitation: it isn't in CISA KEV, no EPSS score or public exploit/scanner template exists yet, and downstream dependent counts aren't tracked for this package, so blast radius is hard to size precisely — but the local, no-privileges-required attack path (CVSS 7.1) makes it a realistic insider/supply-chain risk wherever OpenClaw agents process third-party or team-shared directories. Any organization running OpenClaw against shared codebases, contractor deliverables, or CI checkouts should treat workspace .env files as untrusted input by default. Patch to OpenClaw 2026.5.28 or later immediately, and until then audit and strip .env files from any workspace before pointing an agent at it, rotate provider API keys if untrusted workspaces have already been processed, and alert on outbound calls to unexpected provider endpoints.

Is CVE-2026-59261 actively exploited?

No confirmed active exploitation of CVE-2026-59261 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-59261?

Upgrade to OpenClaw 2026.5.28 or later, which fixes the dotenv trust boundary. Until patched: never point OpenClaw at untrusted or third-party workspaces/repos with credential loading enabled; explicitly strip or allowlist .env files before an agent processes an input path; run the agent with scoped, least-privilege provider API keys inside an isolated sandbox/container so a leaked key has minimal reach; rotate any provider credentials that may already have been exposed to untrusted workspaces; add detection for agent egress to unexpected provider hostnames/base URLs; and add CI checks that reject committed .env files in externally-contributed branches.

What systems are affected by CVE-2026-59261?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD agent pipelines, multi-tenant developer workspaces.

What is the CVSS score for CVE-2026-59261?

CVE-2026-59261 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksCI/CD agent pipelinesmulti-tenant developer workspaces

MITRE ATLAS Techniques

AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.

Exploitation Scenario

An attacker contributes to or plants a file in a repository, shared directory, or CI checkout that OpenClaw will later process — a low-trust input path the victim doesn't fully audit. The dropped .env file defines entries that shadow the provider credential variables OpenClaw's global/trusted config relies on (e.g., an API base URL or key variable), and because the loader doesn't sufficiently block workspace-level overrides of these credential keys (CWE-184), the agent picks up the attacker's values at runtime. When the victim runs the agent against that workspace, requests intended for the legitimate LLM provider are either redirected to attacker-controlled infrastructure or the real credentials get logged/exposed through the substituted configuration — handing the attacker valid provider access or the victim's actual API secrets.

Weaknesses (CWE)

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

  • [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Timeline

Published
July 8, 2026
Last Modified
July 8, 2026
First Seen
July 8, 2026

Related Vulnerabilities