CVE-2026-53858
Received Received - Intake
Environment Variable Injection in OpenClaw

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53858
EUVD
EUVD-2026-37160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53858 is a vulnerability in OpenClaw versions before 2026.5.2 where the workspace .env file can manipulate the STATE_DIRECTORY environment variable. This variable influences the roots of bundled runtime dependencies.

Attackers can exploit this by changing the STATE_DIRECTORY to load runtime dependencies from unintended local paths. This can cause malicious code to be executed during the dependency resolution process.

The vulnerability arises from an untrusted search path issue, meaning that the software may load code from locations that are not properly verified or trusted.

Impact Analysis

If exploited, this vulnerability can lead to the execution of malicious code on your system during the runtime dependency loading phase.

The impact depends on your configuration and whether untrusted input can influence the STATE_DIRECTORY path. If an attacker can control this, they might load harmful dependencies from local paths.

This could compromise the integrity and security of your OpenClaw environment, potentially allowing unauthorized actions or code execution.

Mitigation Strategies

To mitigate the CVE-2026-53858 vulnerability in OpenClaw, you should upgrade to version 2026.5.2 or later, where the issue is patched.

Avoid opening untrusted workspace .env files before dependency installation to prevent manipulation of the STATE_DIRECTORY environment variable.

Disable the feature that allows the STATE_DIRECTORY environment variable to influence runtime dependency roots if it is not necessary in your environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart