CVE-2026-53813: OpenClaw path traversal enables RCE

CISO Take

OpenClaw's memory-core artifact loader trusts workspace-supplied path information without adequate validation, allowing a low-privileged attacker who controls workspace state to redirect artifact loading to an adversary-chosen local path and achieve code execution or sensitive data access (CWE-427, CVSS 7.8). Although the attack is local, AI agent deployments routinely grant workspace access to developers, automated pipelines, and third-party integrations—meaningfully widening the realistic attack surface beyond a single privileged account. Prior documented abuse of OpenClaw's ecosystem (AIID #1368, where ~17% of third-party skills were assessed as malicious and delivered credential stealers) confirms this framework is an active adversarial target, and the package's 155-CVE track record signals persistent security debt warranting elevated scrutiny. Patch to 2026.4.25 immediately; if delayed, restrict workspace write access to trusted principals only and monitor for memory-core artifact loads from paths outside the expected installation tree.

Sources: NVD GitHub Advisory ATLAS VulnCheck AIID

What is the risk?

High risk for organizations running OpenClaw-based AI agents. The local attack vector limits opportunistic exploitation but is realistic in multi-tenant agent platforms, shared development environments, and CI/CD pipelines where multiple principals share workspace access. Low attack complexity (AC:L) with no user interaction required (UI:N) means exploitation is straightforward once workspace access is obtained. Full CIA triad impact (C:H/I:H/A:H) combined with the framework's 155-CVE history and documented real-world ecosystem abuse elevates effective risk beyond what the 7.8 CVSS score alone suggests. The absence of EPSS data and KEV listing reduces urgency slightly, but the AIID #1368 precedent of active targeting of this framework offsets that reduction.

How does the attack unfold?

Workspace Access

Adversary obtains low-privilege access to a shared OpenClaw workspace via a developer account, compromised CI pipeline token, or a malicious third-party skill integration.

AML.T0012

Path Manipulation

Adversary modifies workspace state metadata to alter OpenClaw's local package root resolution, redirecting it to an attacker-controlled directory containing a malicious memory-core artifact.

AML.T0081

Malicious Artifact Load

OpenClaw loads the adversary's malicious memory-core artifact from the manipulated path during agent initialization or a scheduled memory reload cycle, bypassing integrity checks.

AML.T0080.000

Execution and Exfiltration

The loaded artifact executes code under agent runtime privileges, granting access to persisted agent memory state, connected tool credentials, and sensitive data reachable by the agent.

AML.T0037

Workspace Access

Adversary obtains low-privilege access to a shared OpenClaw workspace via a developer account, compromised CI pipeline token, or a malicious third-party skill integration.

AML.T0012

Path Manipulation

Adversary modifies workspace state metadata to alter OpenClaw's local package root resolution, redirecting it to an attacker-controlled directory containing a malicious memory-core artifact.

AML.T0081

Malicious Artifact Load

OpenClaw loads the adversary's malicious memory-core artifact from the manipulated path during agent initialization or a scheduled memory reload cycle, bypassing integrity checks.

AML.T0080.000

Execution and Exfiltration

The loaded artifact executes code under agent runtime privileges, granting access to persisted agent memory state, connected tool credentials, and sensitive data reachable by the agent.

AML.T0037

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade to OpenClaw 2026.4.25 or later (reference GHSA-v8cx-933x-r976).
Interim workaround: restrict write access to OpenClaw workspace directories to trusted service accounts only; prevent arbitrary users or integrations from modifying workspace state metadata.
Audit: review all workspace configurations for unexpected or recently modified package root path settings.
Detection: monitor file system access logs for OpenClaw processes loading artifacts from paths outside the expected installation directory tree; alert on anomalous artifact load paths.
Isolation: in multi-tenant deployments, enforce workspace isolation at the OS level via separate users, containers, or VMs per tenant.
Dependency audit: identify and patch all downstream projects that depend on OpenClaw—4 are currently tracked, but transitive dependents may be broader.

How is it classified?

Supply Chain Code Execution Data Extraction Agent Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0037 - Data from Local System AML.T0080.000 - Memory AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI system design and development Annex A, A.6.2 - AI system security controls

NIST AI RMF

GOVERN 6.1 - Third-party AI risk governance MANAGE 2.2 - AI risk treatment and response

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents active adversarial exploitation of OpenClaw's skill ecosystem to deliver credential stealers, confirming threat actors actively target this framework. CVE-2026-53813's memory-core path traversal provides a technically distinct but operationally complementary vector—both enable adversaries to introduce and execute malicious code within the OpenClaw agent environment without requiring elevated privileges.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53813?

OpenClaw's memory-core artifact loader trusts workspace-supplied path information without adequate validation, allowing a low-privileged attacker who controls workspace state to redirect artifact loading to an adversary-chosen local path and achieve code execution or sensitive data access (CWE-427, CVSS 7.8). Although the attack is local, AI agent deployments routinely grant workspace access to developers, automated pipelines, and third-party integrations—meaningfully widening the realistic attack surface beyond a single privileged account. Prior documented abuse of OpenClaw's ecosystem (AIID #1368, where ~17% of third-party skills were assessed as malicious and delivered credential stealers) confirms this framework is an active adversarial target, and the package's 155-CVE track record signals persistent security debt warranting elevated scrutiny. Patch to 2026.4.25 immediately; if delayed, restrict workspace write access to trusted principals only and monitor for memory-core artifact loads from paths outside the expected installation tree.

Is CVE-2026-53813 actively exploited?

No confirmed active exploitation of CVE-2026-53813 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53813?

1. Patch immediately: upgrade to OpenClaw 2026.4.25 or later (reference GHSA-v8cx-933x-r976). 2. Interim workaround: restrict write access to OpenClaw workspace directories to trusted service accounts only; prevent arbitrary users or integrations from modifying workspace state metadata. 3. Audit: review all workspace configurations for unexpected or recently modified package root path settings. 4. Detection: monitor file system access logs for OpenClaw processes loading artifacts from paths outside the expected installation directory tree; alert on anomalous artifact load paths. 5. Isolation: in multi-tenant deployments, enforce workspace isolation at the OS level via separate users, containers, or VMs per tenant. 6. Dependency audit: identify and patch all downstream projects that depend on OpenClaw—4 are currently tracked, but transitive dependents may be broader.

What systems are affected by CVE-2026-53813?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-tenant agent platforms, Agent development environments, CI/CD pipelines with AI agent components, Automated AI workflow orchestration.

What is the CVSS score for CVE-2026-53813?

CVE-2026-53813 has a CVSS v3.1 base score of 7.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMulti-tenant agent platformsAgent development environmentsCI/CD pipelines with AI agent componentsAutomated AI workflow orchestration

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0037 Data from Local System

AML.T0080.000 Memory

AML.T0081 Modify AI Agent Configuration

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, Annex A, A.6.2

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data.

Exploitation Scenario

An adversary with low-privilege access to a shared OpenClaw workspace—such as a developer account, compromised CI pipeline token, or a malicious third-party skill (as documented in AIID #1368)—modifies workspace state metadata to alter OpenClaw's local package root resolution path. On the next agent initialization or scheduled memory-core artifact reload cycle, OpenClaw follows the manipulated path and loads a malicious artifact from the attacker's controlled directory without integrity verification. The loaded artifact executes code under the agent's runtime privileges, granting the adversary access to the agent's persisted memory state, connected tool credentials, and any data the agent can reach. In a multi-tenant deployment, this lateral path escalates a single low-privilege workspace compromise into cross-tenant impact without requiring elevated OS privileges.