CVE Catalog

CVE-2026-53858

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

Risk Assessment

This vulnerability poses a risk of executing malicious code in a production environment, potentially leading to system and data compromise.

Recommendation

It is recommended to update OpenClaw to version 2026.5.2 or later and review the configuration of environment variables to minimize injection risks.

Original NVD description (English source)

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS