CVE-2026-53846: OpenClaw path traversal enables

CISO Take

OpenClaw before 2026.4.29 contains a path traversal flaw in its install helper that lets a workspace .env file override the npm_execpath setting, redirecting dependency installation to any local executable the attacker controls. The local attack vector keeps this off the internet-exposure radar, but the real threat surface is shared AI agent development environments and CI/CD pipelines, where workspace write access is routinely granted to contributors or automated tooling—and where .env contents are seldom audited before install steps run. No public exploit exists and the vulnerability is absent from CISA KEV, but CWE-426 (untrusted search path) requires zero AI/ML expertise to weaponize: write a .env, wait for a developer or pipeline to run install, collect credentials and inject backdoors. Upgrade to OpenClaw 2026.4.29 immediately, audit all workspace .env files for unexpected npm_execpath entries, and enforce least-privilege write access to OpenClaw workspace directories in every shared or automated environment.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

CVSS 7.1 High with a local attack vector substantially limits direct internet exposure, but this understates risk in AI agent development contexts where workspace directories are frequently shared across teams or mounted in CI/CD runners. Attack complexity is Low and no privileges are required—any entity that can write to the workspace can trigger exploitation, including compromised developer machines, malicious pull requests merged without .env diff review, or supply-chain-compromised tooling that auto-generates .env files. With C:H and I:H impact ratings, a successful exploit hands an attacker full visibility into build-time secrets (API keys, model tokens) and control over installed package contents. The absence of KEV listing and public exploit reduces urgency slightly, but developer-tooling vulnerabilities are systematically underweighted in triage queues.

How does the attack unfold?

Workspace Access

Adversary obtains write access to an OpenClaw AI agent workspace via compromised contributor credentials, a merged malicious pull request, or direct access to a shared development server.

AML.T0012

.env Configuration Manipulation

Attacker writes or modifies the workspace .env file to set npm_execpath to a path pointing to a malicious executable under their control, exploiting the install helper's failure to validate this value.

AML.T0081

User-Triggered Execution

A developer or CI/CD pipeline runs OpenClaw dependency installation; the install helper reads the poisoned .env and invokes the malicious binary instead of the legitimate npm.

AML.T0011

Build Environment Compromise

Malicious executable runs with full build-context privileges, exfiltrating API keys and model credentials from the environment and optionally backdooring installed AI agent packages for persistent downstream impact.

AML.T0010.001

Workspace Access

Adversary obtains write access to an OpenClaw AI agent workspace via compromised contributor credentials, a merged malicious pull request, or direct access to a shared development server.

AML.T0012

.env Configuration Manipulation

Attacker writes or modifies the workspace .env file to set npm_execpath to a path pointing to a malicious executable under their control, exploiting the install helper's failure to validate this value.

AML.T0081

User-Triggered Execution

A developer or CI/CD pipeline runs OpenClaw dependency installation; the install helper reads the poisoned .env and invokes the malicious binary instead of the legitimate npm.

AML.T0011

Build Environment Compromise

Malicious executable runs with full build-context privileges, exfiltrating API keys and model credentials from the environment and optionally backdooring installed AI agent packages for persistent downstream impact.

AML.T0010.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

6 steps

Patch: Upgrade OpenClaw to 2026.4.29 or later as the primary remediation.
Audit: Grep all workspace .env files for npm_execpath entries; flag any that do not resolve to the system-canonical npm binary path.
Access control: Restrict workspace write permissions to trusted, authenticated principals only—remove any anonymous or broad contributor write grants.
CI/CD hardening: Explicitly set or override npm_execpath in pipeline environment before any OpenClaw install step; do not inherit workspace .env values uncritically.
Detection: Alert on npm process executions originating from non-standard binary paths in build logs; instrument build runners to capture and diff .env contents between runs.
Code review gates: Add automated checks in PR pipelines to flag .env changes that modify *_execpath or *_path variables.

How is it classified?

Supply Chain Code Execution Agent Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - Suppliers of AI-related components

NIST AI RMF

GOVERN 6.2 - AI risk and impact – supply chain

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-53846?

OpenClaw before 2026.4.29 contains a path traversal flaw in its install helper that lets a workspace .env file override the npm_execpath setting, redirecting dependency installation to any local executable the attacker controls. The local attack vector keeps this off the internet-exposure radar, but the real threat surface is shared AI agent development environments and CI/CD pipelines, where workspace write access is routinely granted to contributors or automated tooling—and where .env contents are seldom audited before install steps run. No public exploit exists and the vulnerability is absent from CISA KEV, but CWE-426 (untrusted search path) requires zero AI/ML expertise to weaponize: write a .env, wait for a developer or pipeline to run install, collect credentials and inject backdoors. Upgrade to OpenClaw 2026.4.29 immediately, audit all workspace .env files for unexpected npm_execpath entries, and enforce least-privilege write access to OpenClaw workspace directories in every shared or automated environment.

Is CVE-2026-53846 actively exploited?

No confirmed active exploitation of CVE-2026-53846 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53846?

1. Patch: Upgrade OpenClaw to 2026.4.29 or later as the primary remediation. 2. Audit: Grep all workspace .env files for npm_execpath entries; flag any that do not resolve to the system-canonical npm binary path. 3. Access control: Restrict workspace write permissions to trusted, authenticated principals only—remove any anonymous or broad contributor write grants. 4. CI/CD hardening: Explicitly set or override npm_execpath in pipeline environment before any OpenClaw install step; do not inherit workspace .env values uncritically. 5. Detection: Alert on npm process executions originating from non-standard binary paths in build logs; instrument build runners to capture and diff .env contents between runs. 6. Code review gates: Add automated checks in PR pipelines to flag .env changes that modify *_execpath or *_path variables.

What systems are affected by CVE-2026-53846?

This vulnerability affects the following AI/ML architecture patterns: AI agent development environments, CI/CD build pipelines, agent frameworks, ML development workspaces, multi-agent orchestration setups.

What is the CVSS score for CVE-2026-53846?

CVE-2026-53846 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent development environmentsCI/CD build pipelinesagent frameworksML development workspacesmulti-agent orchestration setups

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0050 Command and Scripting Interpreter

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.

Exploitation Scenario

An adversary with write access to a shared OpenClaw AI agent workspace—obtained via compromised developer credentials, a malicious dependency that writes to the workspace directory on install, or direct access to a shared build server—places a .env file containing npm_execpath=/tmp/.hidden/fake-npm. The fake-npm script silently exfiltrates all environment variables (capturing LLM API keys, vector DB tokens, and cloud credentials) and then delegates to the real npm to avoid raising suspicion. When any team member or CI/CD job runs the OpenClaw dependency install step, the install helper reads the workspace .env, resolves the overridden npm_execpath, and executes the malicious binary with full build-context privileges. The attacker now has build-environment code execution and credential access, and can optionally patch installed AI agent packages to include persistent backdoors that propagate to every downstream deployment using that workspace's output.

Weaknesses (CWE)

CWE-426 Untrusted Search Path Primary

CWE-426 — Untrusted Search Path: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.