CVE-2026-59261: OpenClaw: dotenv override leaks provider credentials
HIGHOpenClaw, an AI agent framework, will silently let a workspace-level .env file override provider API credentials that should stay locked to the trusted configuration, letting anyone with write access to an input path — a shared repo, a cloned project, a mounted directory — capture or redirect secrets used for LLM provider calls. There's no evidence of active exploitation: it isn't in CISA KEV, no EPSS score or public exploit/scanner template exists yet, and downstream dependent counts aren't tracked for this package, so blast radius is hard to size precisely — but the local, no-privileges-required attack path (CVSS 7.1) makes it a realistic insider/supply-chain risk wherever OpenClaw agents process third-party or team-shared directories. Any organization running OpenClaw against shared codebases, contractor deliverables, or CI checkouts should treat workspace .env files as untrusted input by default. Patch to OpenClaw 2026.5.28 or later immediately, and until then audit and strip .env files from any workspace before pointing an agent at it, rotate provider API keys if untrusted workspaces have already been processed, and alert on outbound calls to unexpected provider endpoints.
What is the risk?
CVSS 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) reflects a low-complexity, no-privilege attack that only needs a victim to open or run a tainted workspace — a routine action for anyone using an AI coding agent on external or team-shared code. Confidentiality and integrity impact are both high (credential exposure and override of trusted config), while availability is unaffected. No KEV listing, EPSS score, public exploit, or Nuclei template exists, so mass automated exploitation is unlikely near-term; this reads as a targeted/insider or workspace-poisoning risk rather than an internet-scanning one. The risk scales with how many teams point OpenClaw at repos, PRs, or directories they don't fully trust.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | pip | — | No patch |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade to OpenClaw 2026.5.28 or later, which fixes the dotenv trust boundary. Until patched: never point OpenClaw at untrusted or third-party workspaces/repos with credential loading enabled; explicitly strip or allowlist .env files before an agent processes an input path; run the agent with scoped, least-privilege provider API keys inside an isolated sandbox/container so a leaked key has minimal reach; rotate any provider credentials that may already have been exposed to untrusted workspaces; add detection for agent egress to unexpected provider hostnames/base URLs; and add CI checks that reject committed .env files in externally-contributed branches.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-59261?
OpenClaw, an AI agent framework, will silently let a workspace-level .env file override provider API credentials that should stay locked to the trusted configuration, letting anyone with write access to an input path — a shared repo, a cloned project, a mounted directory — capture or redirect secrets used for LLM provider calls. There's no evidence of active exploitation: it isn't in CISA KEV, no EPSS score or public exploit/scanner template exists yet, and downstream dependent counts aren't tracked for this package, so blast radius is hard to size precisely — but the local, no-privileges-required attack path (CVSS 7.1) makes it a realistic insider/supply-chain risk wherever OpenClaw agents process third-party or team-shared directories. Any organization running OpenClaw against shared codebases, contractor deliverables, or CI checkouts should treat workspace .env files as untrusted input by default. Patch to OpenClaw 2026.5.28 or later immediately, and until then audit and strip .env files from any workspace before pointing an agent at it, rotate provider API keys if untrusted workspaces have already been processed, and alert on outbound calls to unexpected provider endpoints.
Is CVE-2026-59261 actively exploited?
No confirmed active exploitation of CVE-2026-59261 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-59261?
Upgrade to OpenClaw 2026.5.28 or later, which fixes the dotenv trust boundary. Until patched: never point OpenClaw at untrusted or third-party workspaces/repos with credential loading enabled; explicitly strip or allowlist .env files before an agent processes an input path; run the agent with scoped, least-privilege provider API keys inside an isolated sandbox/container so a leaked key has minimal reach; rotate any provider credentials that may already have been exposed to untrusted workspaces; add detection for agent egress to unexpected provider hostnames/base URLs; and add CI checks that reject committed .env files in externally-contributed branches.
What systems are affected by CVE-2026-59261?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD agent pipelines, multi-tenant developer workspaces.
What is the CVSS score for CVE-2026-59261?
CVE-2026-59261 has a CVSS v3.1 base score of 7.1 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0055 Unsecured Credentials AML.T0081 Modify AI Agent Configuration AML.T0083 Credentials from AI Agent Configuration AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.
Exploitation Scenario
An attacker contributes to or plants a file in a repository, shared directory, or CI checkout that OpenClaw will later process — a low-trust input path the victim doesn't fully audit. The dropped .env file defines entries that shadow the provider credential variables OpenClaw's global/trusted config relies on (e.g., an API base URL or key variable), and because the loader doesn't sufficiently block workspace-level overrides of these credential keys (CWE-184), the agent picks up the attacker's values at runtime. When the victim runs the agent against that workspace, requests intended for the legitimate LLM provider are either redirected to attacker-controlled infrastructure or the real credentials get logged/exposed through the substituted configuration — handing the attacker valid provider access or the victim's actual API secrets.
Weaknesses (CWE)
CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
- [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw