OpenClaw Patches Critical Prompt-Injection Vulnerabilities Ahead of Memorial Day Release

Security researchers disclosed three vulnerabilities in OpenClaw on April 27, 2026, affecting all releases prior to version 2026.4.20. The flaws span a configuration bypass, a bundled-tool filter evasion, and an environment-variable host override β€” and have been assigned CVE-2026-35650 and CVE-2026-41361.

The three vulnerabilities:

  1. Configuration bypass (CVE-2026-35650): Crafted prompt-injection payloads in model output can write to trusted configuration paths, allowing attackers to silently override sandbox policies, plugin permissions, routing hooks, MCP server settings, and filesystem protections.

  2. Bundled tool filter evasion: Bundled MCP and LSP tools could re-register themselves into an agent’s active toolset after policy filtering, defeating administrator deny lists and restricted access rules.

  3. Host-override attack (CVE-2026-41361): A malicious .env file could override the MINIMAX_API_HOST environment variable and redirect outbound API requests to an attacker-controlled host, enabling credential interception across prompts, model responses, and embedded data.

The blast radius is significant. OpenClaw is widely used as connective tissue in agent and MCP deployments β€” compromising it propagates to every agent invocation, including file-system access via MCP, API calls to model providers, and policy-controlled actions on production endpoints. Organizations running OpenClaw in regulated environments (EU AI Act, NIST AI RMF) face additional compliance exposure if a silent redirect of model traffic goes undetected.

What users should do: Upgrade to OpenClaw 2026.4.20 or later immediately. Those on older versions should treat any unpatched deployment as actively at risk.

Source: PointGuard AI | CyberSecurityNews

← Back to News