CVE-2026-53864
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
OpenClaw before version 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables.
Risk Assessment
This vulnerability may lead to unauthorized influence on child processes or coverage output paths, posing a serious threat to the security of the application and the organization's data.
Recommendation
It is recommended to update OpenClaw to version 2026.5.26 or later and to review and secure access to .env files and other sensitive resources.
Original NVD description (English source)
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

