CVE Catalog

CVE-2026-53846

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

OpenClaw before version 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup.

Risk Assessment

This vulnerability may lead to the compromise of the build environment, allowing attackers to execute unauthorized commands in the context of the application. Organizations should be aware of the risks associated with unauthorized access to the workspace.

Recommendation

It is recommended to update OpenClaw to version 2026.4.29 or later to mitigate this vulnerability. Additionally, access to the workspace should be restricted to trusted users.

Original NVD description (English source)

OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS