CVE-2026-53858

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

Fix

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-426

Related Identifiers

CVE-2026-53858

Affected Products

Openclaw

CVE-2026-53858

Weakness Enumeration

Related Identifiers

Affected Products

References · 3