CVE-2026-53842: OpenClaw env var injection enables

CISO Take

OpenClaw before version 2026.5.2 contains an environment variable injection flaw (CWE-426) where an attacker with repository write access can place a malicious CLOUDSDK_PYTHON value in a workspace .env file, hijacking the Python runtime invoked during Gmail/gcloud setup and achieving arbitrary code execution on the victim's machine. The local attack vector and required user interaction keep the CVSS at 7.1, but in shared repositories or CI/CD pipelines this translates to a realistic insider-threat or repository-compromise scenario — OpenClaw agents typically run with cloud credentials during setup, meaning a successful exploit exposes Google Cloud service accounts and any downstream AI infrastructure connected through the agent's toolchain. No public exploit or CISA KEV listing exists today, yet the exploitation path is trivial: a single .env file line with no special tooling required. Upgrade to OpenClaw 2026.5.2+ immediately and audit all workspace .env files for unexpected CLOUDSDK_PYTHON entries; enforce repository access controls and add pre-commit hooks that flag modifications to this variable.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium-high risk in collaborative development environments. The local attack vector and user-interaction requirement limit exposure compared to network-exploitable CVEs, but AI agent frameworks like OpenClaw routinely run with cloud credentials and elevated system access during provisioning phases. The exploitation technique — injecting a single environment variable into a .env file — requires minimal attacker skill, making insider threat and supply-chain scenarios realistic for any team sharing OpenClaw workspaces. CI/CD pipelines that automate agent setup are the highest-risk surface because execution can occur without developer review.

How does the attack unfold?

Configuration Tampering

Attacker with repository write access inserts CLOUDSDK_PYTHON pointing to a malicious binary into the workspace .env file, optionally hiding the change within an unrelated pull request.

AML.T0081

Trigger via Setup Workflow

A developer or CI/CD pipeline runs the OpenClaw Gmail setup workflow, which loads the workspace .env file and propagates the attacker-controlled CLOUDSDK_PYTHON variable to the gcloud invocation.

AML.T0011

Runtime Hijack

gcloud resolves CLOUDSDK_PYTHON and invokes the attacker-specified binary instead of the system Python, executing arbitrary attacker code within the setup process and its credential context.

AML.T0050

Credential Theft and Lateral Movement

The malicious code exfiltrates Google Cloud credentials, model API tokens, and other secrets present in the agent environment, enabling persistent access to the team's cloud AI infrastructure.

AML.T0055

Configuration Tampering

Attacker with repository write access inserts CLOUDSDK_PYTHON pointing to a malicious binary into the workspace .env file, optionally hiding the change within an unrelated pull request.

AML.T0081

Trigger via Setup Workflow

A developer or CI/CD pipeline runs the OpenClaw Gmail setup workflow, which loads the workspace .env file and propagates the attacker-controlled CLOUDSDK_PYTHON variable to the gcloud invocation.

AML.T0011

Runtime Hijack

gcloud resolves CLOUDSDK_PYTHON and invokes the attacker-specified binary instead of the system Python, executing arbitrary attacker code within the setup process and its credential context.

AML.T0050

Credential Theft and Lateral Movement

The malicious code exfiltrates Google Cloud credentials, model API tokens, and other secrets present in the agent environment, enabling persistent access to the team's cloud AI infrastructure.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch: Upgrade to OpenClaw 2026.5.2 or later immediately — this is the primary remediation.
Audit: Scan all workspace .env files for any non-empty CLOUDSDK_PYTHON value; treat any such entry as suspect unless explicitly set by your security team.
Access control: Restrict write access to workspace configuration files in shared repositories and enforce mandatory code review for any .env changes.
Detection: Implement pre-commit hooks or CI pipeline checks that flag additions or modifications to CLOUDSDK_PYTHON in .env files and alert the security team.
Isolation: Run OpenClaw Gmail/gcloud setup workflows inside containers or sandboxed environments where environment variables cannot reference arbitrary host paths and cloud credential exposure is minimized.

How is it classified?

Code Execution Supply Chain Agent AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

6.1.2 - AI Risk Assessment A.6.2 - AI System Security Controls

NIST AI RMF

GOVERN 1.1 - AI Risk Policies and Procedures MANAGE 2.2 - Risk Treatment and Response

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53842?

OpenClaw before version 2026.5.2 contains an environment variable injection flaw (CWE-426) where an attacker with repository write access can place a malicious CLOUDSDK_PYTHON value in a workspace .env file, hijacking the Python runtime invoked during Gmail/gcloud setup and achieving arbitrary code execution on the victim's machine. The local attack vector and required user interaction keep the CVSS at 7.1, but in shared repositories or CI/CD pipelines this translates to a realistic insider-threat or repository-compromise scenario — OpenClaw agents typically run with cloud credentials during setup, meaning a successful exploit exposes Google Cloud service accounts and any downstream AI infrastructure connected through the agent's toolchain. No public exploit or CISA KEV listing exists today, yet the exploitation path is trivial: a single .env file line with no special tooling required. Upgrade to OpenClaw 2026.5.2+ immediately and audit all workspace .env files for unexpected CLOUDSDK_PYTHON entries; enforce repository access controls and add pre-commit hooks that flag modifications to this variable.

Is CVE-2026-53842 actively exploited?

No confirmed active exploitation of CVE-2026-53842 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53842?

1. Patch: Upgrade to OpenClaw 2026.5.2 or later immediately — this is the primary remediation. 2. Audit: Scan all workspace .env files for any non-empty CLOUDSDK_PYTHON value; treat any such entry as suspect unless explicitly set by your security team. 3. Access control: Restrict write access to workspace configuration files in shared repositories and enforce mandatory code review for any .env changes. 4. Detection: Implement pre-commit hooks or CI pipeline checks that flag additions or modifications to CLOUDSDK_PYTHON in .env files and alert the security team. 5. Isolation: Run OpenClaw Gmail/gcloud setup workflows inside containers or sandboxed environments where environment variables cannot reference arbitrary host paths and cloud credential exposure is minimized.

What systems are affected by CVE-2026-53842?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Developer workstation environments, CI/CD pipelines, Cloud-integrated agent deployments.

What is the CVSS score for CVE-2026-53842?

CVE-2026-53842 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksDeveloper workstation environmentsCI/CD pipelinesCloud-integrated agent deployments

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011 User Execution

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1.2, A.6.2

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.

Exploitation Scenario

A malicious insider or attacker who has compromised a contributor account in a shared OpenClaw repository adds the line CLOUDSDK_PYTHON=/tmp/.backdoor/python to the workspace .env file via a pull request with unrelated changes. When a developer clones the repository and runs the Gmail setup workflow, or when a CI/CD pipeline executes it automatically, OpenClaw loads the workspace .env and passes CLOUDSDK_PYTHON to the gcloud invocation. gcloud uses the attacker-controlled binary instead of the system Python — executing arbitrary code with the privileges of the setup process. The attacker's payload harvests Google Cloud service account credentials stored in the environment, exfiltrates them to an external endpoint, and establishes persistence for ongoing access to the team's cloud AI infrastructure.

Weaknesses (CWE)

CWE-426 Untrusted Search Path Primary

CWE-426 — Untrusted Search Path: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.