CVE-2026-53846
Received Received - Intake
Path Traversal in OpenClaw Before 2026.4.29

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53846
EUVD
EUVD-2026-37148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53846 is a path traversal vulnerability in OpenClaw versions before 2026.4.29. It occurs in the install helper component, where a workspace .env file can override the npm_execpath configuration. This configuration determines which package-manager executable is used during runtime dependency installation.

An attacker with access to the workspace can exploit this flaw to execute unintended local package-manager binaries during the dependency setup process, potentially compromising the build environment.

Impact Analysis

This vulnerability can allow attackers who have workspace access to execute arbitrary local package-manager executables during dependency installation. This can lead to compromise of the build environment, potentially allowing malicious code execution or unauthorized actions within the build process.

The impact depends on the operator's configuration and whether untrusted input can influence the npm_execpath setting.

  • Compromise of build environment integrity
  • Execution of unintended or malicious package-manager binaries
Detection Guidance

Detection of this vulnerability involves checking if your OpenClaw installation is a version prior to 2026.4.29 and if the affected feature that uses workspace .env files to override npm_execpath is enabled.

You can inspect workspace .env files for suspicious overrides of the npm_execpath configuration that might point to unintended local package-manager executables.

Commands to help detect potential exploitation or presence of the vulnerability include:

  • Check OpenClaw version: `openclaw --version` or check package.json dependencies for OpenClaw version.
  • Search for npm_execpath overrides in workspace .env files: `grep -r npm_execpath .`
  • Audit running processes or logs during dependency installation for unexpected package-manager executions.
Mitigation Strategies

Immediate mitigation steps include upgrading OpenClaw to version 2026.4.29 or later, which contains the patch for this vulnerability.

Until patched, only install bundled runtime dependencies from trusted workspaces to reduce risk.

  • Keep channel and tool allowlists narrow to limit exposure.
  • Avoid sharing Gateways between untrusted users to prevent unauthorized workspace access.
  • Disable the feature that allows workspace .env files to override npm_execpath if it is not necessary.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart