CVE-2026-35650: OpenClaw has Inconsistent Host Exec Environment Override Sanitization

March 26, 2026 (updated April 10, 2026)

Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths.

References

github.com/advisories/GHSA-39pp-xp36-q6mg
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-39pp-xp36-q6mg
nvd.nist.gov/vuln/detail/CVE-2026-35650

Code Behaviors & Features

Detect and mitigate CVE-2026-35650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →