CVE-2026-53846
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
OpenClaw before version 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup.
Risk Assessment
This vulnerability may lead to the compromise of the build environment, allowing attackers to execute unauthorized commands in the context of the application. Organizations should be aware of the risks associated with unauthorized access to the workspace.
Recommendation
It is recommended to update OpenClaw to version 2026.4.29 or later to mitigate this vulnerability. Additionally, access to the workspace should be restricted to trusted users.
Original NVD description (English source)
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.

