VYPR
← All advisories
High severity8.8NVD Advisory· Published Jun 11, 2026

CVE-2026-53819

CVE-2026-53819

Description

OpenClaw before 2026.5.27 allows arbitrary code execution via workspace .env files overriding Homebrew executable selection during skill install, enabling attackers with workspace access to run malicious executables.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.5.27 allows arbitrary code execution via workspace .env files overriding Homebrew executable selection during skill install, enabling attackers with workspace access to run malicious executables.

Vulnerability

OpenClaw versions prior to 2026.5.27 contain an arbitrary code execution vulnerability in the skill install flows. A workspace .env file can override the Homebrew executable selection used by the install helper. This affects any configuration where the feature is enabled and reachable, requiring the operator to access a workspace controlled by an attacker. [1]

Exploitation

An attacker with access to a trusted operator's workspace can craft a .env file that specifies an unintended Homebrew-compatible executable. When the operator triggers a skill install flow, the system loads the overwritten executable from the .env file instead of the legitimate Homebrew binary. No further authentication is required beyond the existing workspace access. [1]

Impact

Successful exploitation results in the execution of an arbitrary Homebrew-compatible executable during skill setup. The attacker gains the ability to run code in the context of the install helper, which can lead to full system compromise depending on operator privileges and configuration. The CVSS v3 score is 8.8 (High), indicating high impact on confidentiality, integrity, and availability. [1]

Mitigation

The first stable patched version is 2026.5.27. As a workaround, avoid running skill install flows from untrusted workspaces until patched. General hardening measures include keeping channel and tool allowlists narrow, avoiding sharing a Gateway between mutually untrusted users, and disabling the affected feature when not needed. No KEV listing has been published. [1]

References
  1. Workspace .env could override Homebrew executable selection for skill install flows

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenClaw/Openclawinferred2 versions
    <2026.5.27+ 1 more
    • (no CPE)range: <2026.5.27
    • (no CPE)range: <2026.5.27

Patches

1
27ae826f6525

fix(release): accept openclaw qa runtime alias

https://github.com/OpenClaw/OpenClawPeter SteinbergerMay 28, 2026Fixed in 2026.5.27via release-tag
commit
2 files changed · +31 3
  • extensions/qa-lab/src/cli.runtime.test.ts+16 0 modified
    @@ -289,6 +289,22 @@ describe("qa cli runtime", () => {
     });
   });
 
+  it("accepts openclaw as a runtime-pair suite alias", async () => {
+    await runQaSuiteCommand({
+      repoRoot: "/tmp/openclaw-repo",
+      providerMode: "mock-openai",
+      scenarioIds: ["approval-turn-tool-followthrough"],
+      runtimePair: "openclaw,codex",
+    });
+
+    expect(runQaSuiteFromRuntime).toHaveBeenCalledWith(
+      expect.objectContaining({
+        repoRoot: path.resolve("/tmp/openclaw-repo"),
+        runtimePair: ["pi", "codex"],
+      }),
+    );
+  });
+
   it("drops blank suite model refs so provider defaults apply", async () => {
     await runQaSuiteCommand({
       repoRoot: "/tmp/openclaw-repo",
  • extensions/qa-lab/src/cli.runtime.ts+15 3 modified
    @@ -169,6 +169,16 @@ function normalizeQaOptionalModelRef(input: string | undefined) {
   return model && model.length > 0 ? model : undefined;
 }
 
+function normalizeQaRuntimePairId(value: string): RuntimeId | undefined {
+  if (value === "openclaw" || value === "pi") {
+    return "pi";
+  }
+  if (value === "codex") {
+    return "codex";
+  }
+  return undefined;
+}
+
 function parseQaRuntimePair(value: string | undefined): [RuntimeId, RuntimeId] | undefined {
   if (!value?.trim()) {
     return undefined;
@@ -180,9 +190,11 @@ function parseQaRuntimePair(value: string | undefined): [RuntimeId, RuntimeId] |
   if (parts.length !== 2) {
     throw new Error('--runtime-pair must use exactly two runtimes, e.g. "pi,codex".');
   }
-  const [left, right] = parts;
-  if ((left !== "pi" && left !== "codex") || (right !== "pi" && right !== "codex")) {
-    throw new Error('--runtime-pair only supports "pi" and "codex".');
+  const [rawLeft, rawRight] = parts;
+  const left = normalizeQaRuntimePairId(rawLeft);
+  const right = normalizeQaRuntimePairId(rawRight);
+  if (!left || !right) {
+    throw new Error('--runtime-pair only supports "pi", "openclaw", and "codex".');
   }
   if (left === right) {
     throw new Error("--runtime-pair must compare two different runtimes.");

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

2

News mentions

0

No linked articles in our index yet.