CVE-2026-53842
Awaiting Analysis Awaiting Analysis - Queue

Environment Variable Injection in OpenClaw

Vulnerability report for CVE-2026-53842, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-18

Assigner: VulnCheck

Description

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-18
Generated
2026-07-07
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

OpenClaw versions before 2026.5.2 contain an environment variable injection vulnerability. This flaw allows attackers who have access to the repository to manipulate the CLOUDSDK_PYTHON environment variable via workspace .env files. By doing so, they can influence which Python runtime is selected during the Gmail setup process executed by gcloud. This manipulation can cause the setup to run through unintended local Python paths, potentially enabling arbitrary code execution.

Impact Analysis

If exploited, this vulnerability can allow an attacker with repository access to execute arbitrary code on the system by forcing the Gmail setup process to run using a malicious or unintended Python runtime. This could compromise the security of the environment where OpenClaw is used, potentially leading to unauthorized actions or data exposure.

Detection Guidance

Detection of this vulnerability involves checking for the presence and manipulation of the CLOUDSDK_PYTHON environment variable in workspace .env files within repositories accessible to operators.

You can inspect .env files in your workspace repositories for any suspicious or unintended CLOUDSDK_PYTHON variable settings that could influence the Python runtime used by gcloud during Gmail setup.

Suggested commands to detect potential exploitation include:

  • Search for CLOUDSDK_PYTHON in .env files: `grep -r CLOUDSDK_PYTHON /path/to/workspace`
  • Check environment variables during gcloud execution: `env | grep CLOUDSDK_PYTHON`
  • Audit recent changes to .env files in repositories to detect unauthorized modifications.
Mitigation Strategies

Immediate mitigation steps include:

  • Run Gmail setup only from trusted workspaces to avoid untrusted environment variable influence.
  • Clear or remove any workspace environment overrides, especially the CLOUDSDK_PYTHON variable, until the system is patched.
  • Keep channel and tool allowlists narrow to reduce exposure.
  • Avoid sharing Gateways between untrusted users to maintain security boundaries.
  • Disable the affected feature if it is not necessary.

Additionally, update OpenClaw to version 2026.5.2 or later where this vulnerability is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart