CVE-2026-53842
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.
Risk Assessment
This vulnerability poses a risk of arbitrary code execution by attackers, which could lead to serious security breaches within the organization. Manipulation of environment variables may allow attackers to gain control over the system.
Recommendation
It is recommended to update OpenClaw to version 2026.5.2 or later to mitigate this vulnerability. Additionally, access to repositories should be restricted to minimize the risk of environment variable manipulation.
Original NVD description (English source)
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.

