CVE-2026-41368
MEDIUMDescription
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.
Is your site exposed to CVE-2026-41368?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| openclaw | openclaw |
References
Frequently Asked Questions
What is CVE-2026-41368? +
How severe is CVE-2026-41368? +
What products are affected by CVE-2026-41368? +
How do I check if I'm vulnerable to CVE-2026-41368? +
Related Vulnerabilities
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using …
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with …
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, …
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before …
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission …
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they …