CVE-2026-53842
Received Received - Intake
Environment Variable Injection in OpenClaw

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53842
EUVD
EUVD-2026-37144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

OpenClaw versions before 2026.5.2 contain an environment variable injection vulnerability. This flaw allows attackers who have access to the repository to manipulate the CLOUDSDK_PYTHON environment variable via workspace .env files. By doing so, they can influence which Python runtime is selected during the Gmail setup process executed by gcloud. This manipulation can cause the setup to run through unintended local Python paths, potentially enabling arbitrary code execution.

Impact Analysis

If exploited, this vulnerability can allow an attacker with repository access to execute arbitrary code on the system by forcing the Gmail setup process to run using a malicious or unintended Python runtime. This could compromise the security of the environment where OpenClaw is used, potentially leading to unauthorized actions or data exposure.

Detection Guidance

Detection of this vulnerability involves checking for the presence and manipulation of the CLOUDSDK_PYTHON environment variable in workspace .env files within repositories accessible to operators.

You can inspect .env files in your workspace repositories for any suspicious or unintended CLOUDSDK_PYTHON variable settings that could influence the Python runtime used by gcloud during Gmail setup.

Suggested commands to detect potential exploitation include:

  • Search for CLOUDSDK_PYTHON in .env files: `grep -r CLOUDSDK_PYTHON /path/to/workspace`
  • Check environment variables during gcloud execution: `env | grep CLOUDSDK_PYTHON`
  • Audit recent changes to .env files in repositories to detect unauthorized modifications.
Mitigation Strategies

Immediate mitigation steps include:

  • Run Gmail setup only from trusted workspaces to avoid untrusted environment variable influence.
  • Clear or remove any workspace environment overrides, especially the CLOUDSDK_PYTHON variable, until the system is patched.
  • Keep channel and tool allowlists narrow to reduce exposure.
  • Avoid sharing Gateways between untrusted users to maintain security boundaries.
  • Disable the affected feature if it is not necessary.

Additionally, update OpenClaw to version 2026.5.2 or later where this vulnerability is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart