CVE-2026-53826: OpenClaw workspace path leaked from

CISO Take

OpenClaw before version 2026.4.26 fails to isolate the real workspace path when spawning child sessions from sandboxed parents, allowing any authenticated user with session-spawning rights to extract host filesystem location through normal child model interactions. While CVSS is 4.3 (medium) with no confirmed active exploitation or public proof-of-concept, the vulnerability directly undermines sandboxing — a primary isolation boundary in agentic AI deployments — and is particularly relevant given AIID incident #1368, where malicious OpenClaw skills were already used for credential exfiltration in early 2026. Path disclosure lowers the attacker's cost to enumerate sensitive resources and enables targeted follow-on attacks against AI workspaces. Organizations running OpenClaw should upgrade to 2026.4.26 immediately; if patching is not feasible, disable child session spawning from sandboxed contexts and audit model outputs for unexpected filesystem path references.

Sources: NVD GitHub Advisory VulnCheck ATLAS AIID

What is the risk?

Medium exploitability with disproportionate impact in AI agent environments. The CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates network reachability with low complexity and only a standard authenticated account required — a low bar on any multi-user platform. The impact is confined to confidentiality (C:L) with no direct write or availability vector. However, in agentic AI deployments where sandboxing is a first-line isolation control, path disclosure breaks a critical architectural assumption: child models receiving workspace context may use it to craft targeted prompts, invoke tools against known paths, or assist further exploitation chains. The 175 prior CVEs recorded against the OpenClaw package signal a historically weak security posture, increasing the probability that this will be chained with other weaknesses rather than exploited in isolation.

How does the attack unfold?

Initial Access

Attacker authenticates to an OpenClaw deployment using a low-privilege user account with standard session-management permissions.

AML.T0012

Exploitation

Attacker spawns a child session from a sandboxed parent session, triggering the path disclosure bug that injects the real host workspace path into the child prompt context.

AML.T0049

Data Collection

Child model receives the workspace path in its context and reflects it in outputs; attacker extracts the host filesystem location through normal conversational interaction with the child session.

AML.T0057

Follow-on Attack

Armed with the real workspace path, attacker crafts targeted tool invocations, prompt injections, or malicious skill payloads to enumerate or access files at known locations, circumventing sandbox isolation intent.

AML.T0084

Initial Access

Attacker authenticates to an OpenClaw deployment using a low-privilege user account with standard session-management permissions.

AML.T0012

Exploitation

Attacker spawns a child session from a sandboxed parent session, triggering the path disclosure bug that injects the real host workspace path into the child prompt context.

AML.T0049

Data Collection

Child model receives the workspace path in its context and reflects it in outputs; attacker extracts the host filesystem location through normal conversational interaction with the child session.

AML.T0057

Follow-on Attack

Armed with the real workspace path, attacker crafts targeted tool invocations, prompt injections, or malicious skill payloads to enumerate or access files at known locations, circumventing sandbox isolation intent.

AML.T0084

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Upgrade OpenClaw to version 2026.4.26 or later (fix confirmed in vendor advisory GHSA-6c4r-g249-wv3c).
If immediate upgrade is not feasible, disable or restrict the spawning of child sessions from sandboxed parent sessions at the configuration level.
Review recent model output logs for unexpected absolute filesystem path strings appearing in child session responses.
Apply least-privilege controls on workspace directory permissions to minimize the sensitivity of any disclosed paths.
Monitor for anomalous child session creation activity patterns, particularly from low-privilege accounts, that could indicate active exploitation attempts.

How is it classified?

Data Leakage Privacy Violation Agent AML.T0037 - Data from Local System AML.T0057 - LLM Data Leakage AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk assessment

NIST AI RMF

MANAGE 2.4 - Mechanisms for tracking AI system behavior

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-53826?

OpenClaw before version 2026.4.26 fails to isolate the real workspace path when spawning child sessions from sandboxed parents, allowing any authenticated user with session-spawning rights to extract host filesystem location through normal child model interactions. While CVSS is 4.3 (medium) with no confirmed active exploitation or public proof-of-concept, the vulnerability directly undermines sandboxing — a primary isolation boundary in agentic AI deployments — and is particularly relevant given AIID incident #1368, where malicious OpenClaw skills were already used for credential exfiltration in early 2026. Path disclosure lowers the attacker's cost to enumerate sensitive resources and enables targeted follow-on attacks against AI workspaces. Organizations running OpenClaw should upgrade to 2026.4.26 immediately; if patching is not feasible, disable child session spawning from sandboxed contexts and audit model outputs for unexpected filesystem path references.

Is CVE-2026-53826 actively exploited?

No confirmed active exploitation of CVE-2026-53826 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53826?

1. Upgrade OpenClaw to version 2026.4.26 or later (fix confirmed in vendor advisory GHSA-6c4r-g249-wv3c). 2. If immediate upgrade is not feasible, disable or restrict the spawning of child sessions from sandboxed parent sessions at the configuration level. 3. Review recent model output logs for unexpected absolute filesystem path strings appearing in child session responses. 4. Apply least-privilege controls on workspace directory permissions to minimize the sensitivity of any disclosed paths. 5. Monitor for anomalous child session creation activity patterns, particularly from low-privilege accounts, that could indicate active exploitation attempts.

What systems are affected by CVE-2026-53826?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, sandboxed AI execution environments, multi-agent orchestration.

What is the CVSS score for CVE-2026-53826?

CVE-2026-53826 has a CVSS v3.1 base score of 4.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworkssandboxed AI execution environmentsmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0057 LLM Data Leakage

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context to child models.

Exploitation Scenario

An authenticated attacker with a standard OpenClaw account creates a sandboxed parent session, then spawns one or more child sessions from it. The OpenClaw bug injects the real host workspace path into the child prompt context during session initialization. The attacker prompts the child model to repeat or reference the filesystem path information it has received, extracting the host workspace location through normal conversational interaction. Armed with this path, the attacker can craft subsequent requests — through tool invocations, prompt injections leveraging the known path, or malicious third-party skills as seen in AIID #1368 — to enumerate or read files at known locations, effectively bypassing the intended sandbox isolation.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.