CVE-2026-53819: OpenClaw RCE — HIGH

CISO Take

OpenClaw's skill install flow allows workspace `.env` files to override Homebrew executable selection without sanitization, enabling any attacker with write access to a trusted operator workspace to achieve arbitrary code execution on developer machines. With CVSS 8.8, low attack complexity, and all three CIA pillars rated High, this is a critical developer-toolchain risk — made more urgent by AIID #1368, which documents active threat actor abuse of OpenClaw's skill ecosystem to deliver AMOS infostealer, confirming adversaries are actively targeting this exact attack surface. No public exploit is available and the CVE is not yet in CISA KEV, but the trivial exploitation path and established ecosystem abuse pattern make weaponization highly plausible. Teams should upgrade to OpenClaw ≥ 2026.5.27 immediately, audit all workspace `.env` files for unexpected Homebrew or PATH overrides, and restrict workspace write access to verified principals.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk for any organization using OpenClaw in multi-operator, shared, or CI/CD-integrated workspace environments. Attack complexity is low and no special AI/ML expertise is required — workspace write access is the only meaningful prerequisite. The 155 other CVEs in the same package indicate a pattern of persistent security debt, elevating the likelihood of chained exploitation. AIID #1368 confirms threat actors are actively targeting OpenClaw's skills ecosystem with credential-stealing malware, providing a proven motivation and operational playbook for exploiting this class of vulnerability.

How does the attack unfold?

Initial Access

Adversary obtains write access to a trusted operator workspace via compromised developer credentials, insider access, or by contributing to a shared or public workspace repository.

AML.T0012

Configuration Tampering

Adversary plants or modifies a workspace `.env` file to override the Homebrew executable selection, redirecting it to an attacker-controlled malicious binary.

AML.T0081

Trigger via User Action

A legitimate developer initiates the OpenClaw skill install flow, unknowingly invoking the attacker-controlled executable instead of the intended Homebrew binary.

AML.T0011

Impact — Arbitrary Code Execution

Malicious binary executes in the victim's local context, enabling credential harvesting, secrets exfiltration, or persistence — consistent with the AMOS stealer delivery method documented in AIID #1368.

AML.T0050

Initial Access

Adversary obtains write access to a trusted operator workspace via compromised developer credentials, insider access, or by contributing to a shared or public workspace repository.

AML.T0012

Configuration Tampering

Adversary plants or modifies a workspace `.env` file to override the Homebrew executable selection, redirecting it to an attacker-controlled malicious binary.

AML.T0081

Trigger via User Action

A legitimate developer initiates the OpenClaw skill install flow, unknowingly invoking the attacker-controlled executable instead of the intended Homebrew binary.

AML.T0011

Impact — Arbitrary Code Execution

Malicious binary executes in the victim's local context, enabling credential harvesting, secrets exfiltration, or persistence — consistent with the AMOS stealer delivery method documented in AIID #1368.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade all OpenClaw instances to version ≥ 2026.5.27 immediately — this is the sole confirmed fix.
Audit all workspace .env files for unexpected HOMEBREW_*, PATH, or executable-related overrides before and after patching.
Restrict write permissions to operator workspace directories to verified, least-privileged principals; treat workspace config as code requiring PR review.
In CI/CD environments, pin workspace sources to verified commit hashes and validate .env contents with allowlist tooling (e.g., git-secrets, trufflehog) before any skill install runs.
Review OpenClaw skill install logs for anomalous subprocess invocations that don't match expected Homebrew binary paths.
Given AIID #1368, scan installed skills against the AMOS IOC set published by Bitdefender as a precautionary measure.

How is it classified?

Supply Chain Code Execution Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1 - Actions to address risks and opportunities

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management over the lifecycle

OWASP LLM Top 10

LLM03:2025 - Supply Chain

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents active abuse of OpenClaw's skill ecosystem to deliver AMOS infostealer — with ~17% of sampled skills assessed as malicious — establishing that threat actors have already operationalized OpenClaw skill install flows as an attack vector, the same surface this CVE exposes via workspace `.env` manipulation.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53819?

OpenClaw's skill install flow allows workspace `.env` files to override Homebrew executable selection without sanitization, enabling any attacker with write access to a trusted operator workspace to achieve arbitrary code execution on developer machines. With CVSS 8.8, low attack complexity, and all three CIA pillars rated High, this is a critical developer-toolchain risk — made more urgent by AIID #1368, which documents active threat actor abuse of OpenClaw's skill ecosystem to deliver AMOS infostealer, confirming adversaries are actively targeting this exact attack surface. No public exploit is available and the CVE is not yet in CISA KEV, but the trivial exploitation path and established ecosystem abuse pattern make weaponization highly plausible. Teams should upgrade to OpenClaw ≥ 2026.5.27 immediately, audit all workspace `.env` files for unexpected Homebrew or PATH overrides, and restrict workspace write access to verified principals.

Is CVE-2026-53819 actively exploited?

No confirmed active exploitation of CVE-2026-53819 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53819?

1. Upgrade all OpenClaw instances to version ≥ 2026.5.27 immediately — this is the sole confirmed fix. 2. Audit all workspace `.env` files for unexpected HOMEBREW_*, PATH, or executable-related overrides before and after patching. 3. Restrict write permissions to operator workspace directories to verified, least-privileged principals; treat workspace config as code requiring PR review. 4. In CI/CD environments, pin workspace sources to verified commit hashes and validate `.env` contents with allowlist tooling (e.g., git-secrets, trufflehog) before any skill install runs. 5. Review OpenClaw skill install logs for anomalous subprocess invocations that don't match expected Homebrew binary paths. 6. Given AIID #1368, scan installed skills against the AMOS IOC set published by Bitdefender as a precautionary measure.

What systems are affected by CVE-2026-53819?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development workspaces, skill and plugin ecosystems, CI/CD pipelines with AI agent tooling.

What is the CVSS score for CVE-2026-53819?

CVE-2026-53819 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development workspacesskill and plugin ecosystemsCI/CD pipelines with AI agent tooling

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011 User Execution

AML.T0050 Command and Scripting Interpreter

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.

Exploitation Scenario

An adversary with access to a shared operator workspace — either via compromised developer credentials or by contributing to a public/community workspace repository — plants a `.env` file that sets a custom Homebrew executable path pointing to a malicious binary (e.g., a credential harvester or reverse shell dropper staged on attacker infrastructure). When any team member runs the OpenClaw skill install flow, the malicious binary executes silently in the developer's local context with no visible anomaly. This requires zero AI/ML expertise and mirrors the operational technique used in the AIID #1368 AMOS stealer campaign, but bypasses the need to publish a malicious skill — workspace config write access alone is sufficient for full compromise.