CVE-2026-53858

Vulnerability

OpenClaw before version 2026.5.2 contains an environment variable injection vulnerability in the workspace .env file handling. The STATE_DIRECTORY variable can be set to influence the root path from which bundled runtime dependencies are resolved. When the affected feature is enabled, a malicious .env file in a repository opened by a trusted operator can redirect dependency loading to an unintended local path [1][2].

Exploitation

An attacker must craft a workspace with a .env file that sets STATE_DIRECTORY to a path containing malicious runtime dependencies. The attacker then needs to convince a trusted OpenClaw operator to open that workspace. No authentication is required beyond the operator's existing access, but the operator must have the affected feature enabled. The attack is local (requires file system access to the workspace) and requires user interaction (the operator opening the workspace) [1][2].

Impact

Successful exploitation allows the attacker to load arbitrary runtime dependencies from the attacker-controlled path. This can lead to code execution in the context of the OpenClaw process, with high impact on confidentiality and integrity (CVSS 4.0 base score reflects VC:H and VI:H). The attacker does not gain network access or privilege escalation beyond the OpenClaw process itself [1][2].

Mitigation

The vulnerability is fixed in OpenClaw version 2026.5.2 [1]. As a workaround, avoid opening untrusted workspace .env files before runtime dependency installation until patched. Additional hardening measures include keeping channel and tool allowlists narrow, avoiding shared Gateway usage between mutually untrusted users, and disabling the affected feature when not needed [1][2].