CVE-2026-53864
Analyzed Analyzed - Analysis Complete

Path Traversal in OpenClaw Before 2026.5.26

Vulnerability report for CVE-2026-53864, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-18

Assigner: VulnCheck

Description

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-18
Generated
2026-07-07
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can allow attackers with limited access to environment configuration files or overrides to inject malicious control variables.

Such injection can influence Node.js child processes or coverage output paths, which may result in unauthorized actions or exposure of sensitive data.

The actual impact depends on the operator's configuration and whether untrusted input can reach the affected features.

Executive Summary

CVE-2026-53864 is a vulnerability in OpenClaw versions before 2026.5.26 caused by insufficient sanitization of Node.js control variables in the host environment sanitizer.

Attackers who have access to workspace .env files, tool environment overrides, or skill environment blocks can inject malicious Node.js control variables that bypass validation.

These malicious variables can influence child processes or coverage output paths, potentially leading to unauthorized actions or data exposure.

Detection Guidance

Detection of this vulnerability involves checking if your OpenClaw installation is a version prior to 2026.5.26 and if untrusted environment variables such as workspace .env files, tool environment overrides, or skill environment blocks are being used to pass Node.js control variables.

You can inspect environment files and overrides for suspicious or unexpected Node.js control variables that might influence child processes or coverage output paths.

While no specific commands are provided in the resources, general commands to check environment variables and files include:

  • On Unix/Linux systems, use `env` or `printenv` to list environment variables.
  • Inspect workspace .env files with commands like `cat .env` or `grep NODE_ .env` to find Node.js control variables.
  • Review tool environment overrides or skill environment blocks in your configuration files or scripts for suspicious entries.

Monitoring child processes launched by OpenClaw for unexpected environment variables or paths may also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading OpenClaw to version 2026.5.26 or later, where the vulnerability is patched.

If upgrading is not immediately possible, you should avoid inheriting untrusted environment values, especially from workspace .env files, tool environment overrides, or skill environment blocks.

Keep allowlists for environment variables as narrow as possible to reduce the risk of malicious variables passing through.

Disable the affected feature that processes Node.js control variables if it is not necessary for your operation.

Ensure that your operational policies and boundaries maintain the trusted-operator model to prevent untrusted input from reaching vulnerable features.

Compliance Impact

The vulnerability in OpenClaw allows attackers with access to certain environment variables to inject malicious Node.js control variables, potentially leading to unauthorized actions or data exposure.

Such unauthorized data exposure or manipulation could impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls over data confidentiality and integrity.

However, the advisory notes that the impact depends on the operator's configuration and whether untrusted input can reach the affected feature, and that OpenClaw's trusted-operator model remains intact unless separate policies or boundaries are crossed.

Mitigations include avoiding inheritance of untrusted environment values, keeping allowlists narrow, and disabling the affected feature when unnecessary, which can help maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart