CVE-2026-53842

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.