CVE-2026-53864
Received Received - Intake
Path Traversal in OpenClaw Before 2026.5.26

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53864
EUVD
EUVD-2026-37166
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow attackers with limited access to environment configuration files or overrides to inject malicious control variables.

Such injection can influence Node.js child processes or coverage output paths, which may result in unauthorized actions or exposure of sensitive data.

The actual impact depends on the operator's configuration and whether untrusted input can reach the affected features.

Executive Summary

CVE-2026-53864 is a vulnerability in OpenClaw versions before 2026.5.26 caused by insufficient sanitization of Node.js control variables in the host environment sanitizer.

Attackers who have access to workspace .env files, tool environment overrides, or skill environment blocks can inject malicious Node.js control variables that bypass validation.

These malicious variables can influence child processes or coverage output paths, potentially leading to unauthorized actions or data exposure.

Detection Guidance

Detection of this vulnerability involves checking if your OpenClaw installation is a version prior to 2026.5.26 and if untrusted environment variables such as workspace .env files, tool environment overrides, or skill environment blocks are being used to pass Node.js control variables.

You can inspect environment files and overrides for suspicious or unexpected Node.js control variables that might influence child processes or coverage output paths.

While no specific commands are provided in the resources, general commands to check environment variables and files include:

  • On Unix/Linux systems, use `env` or `printenv` to list environment variables.
  • Inspect workspace .env files with commands like `cat .env` or `grep NODE_ .env` to find Node.js control variables.
  • Review tool environment overrides or skill environment blocks in your configuration files or scripts for suspicious entries.

Monitoring child processes launched by OpenClaw for unexpected environment variables or paths may also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading OpenClaw to version 2026.5.26 or later, where the vulnerability is patched.

If upgrading is not immediately possible, you should avoid inheriting untrusted environment values, especially from workspace .env files, tool environment overrides, or skill environment blocks.

Keep allowlists for environment variables as narrow as possible to reduce the risk of malicious variables passing through.

Disable the affected feature that processes Node.js control variables if it is not necessary for your operation.

Ensure that your operational policies and boundaries maintain the trusted-operator model to prevent untrusted input from reaching vulnerable features.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart