CVE-2026-41391
MEDIUMDescription
OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting malicious index URLs through unsanitized environment variables.
Is your site exposed to CVE-2026-41391?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| openclaw | openclaw |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-41391? +
How severe is CVE-2026-41391? +
What products are affected by CVE-2026-41391? +
How do I check if I'm vulnerable to CVE-2026-41391? +
Related Vulnerabilities
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until …
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to …
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until …
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior …
Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and …
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device …