CVE Catalog

CVE-2026-53864

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

OpenClaw before version 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables.

Risk Assessment

This vulnerability may lead to unauthorized influence on child processes or coverage output paths, posing a serious threat to the security of the application and the organization's data.

Recommendation

It is recommended to update OpenClaw to version 2026.5.26 or later and to review and secure access to .env files and other sensitive resources.

Original NVD description (English source)

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS