CVE-2026-53858: OpenClaw env var injection loads

CISO Take

OpenClaw before version 2026.5.2 contains an untrusted search path vulnerability (CWE-426) in which a workspace .env file can set STATE_DIRECTORY to redirect runtime dependency resolution to attacker-controlled local paths, enabling arbitrary code execution in the developer's context. The attack complexity is low and requires no privileges — an adversary only needs to deliver a malicious project workspace, a trivially achievable primitive through public repository contributions or shared team projects. No public exploits exist and this CVE is absent from CISA KEV, but the low exploitation bar makes prompt patching urgent for any organization running OpenClaw in AI agent development workflows. Upgrade to 2026.5.2 immediately; as a short-term workaround, audit all workspace .env files for unexpected STATE_DIRECTORY values and restrict write access to project directories in CI/CD environments.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High risk in AI development environments. CVSS 7.1 (AV:L/AC:L/PR:N/UI:R) reflects low complexity once the malicious workspace reaches the victim — no exploit code is required beyond a crafted .env file. Risk is elevated for organizations where developers routinely clone external or community-sourced AI agent projects, CI/CD pipelines that auto-build untrusted workspaces, and teams operating shared development environments. Not in CISA KEV and no active exploitation observed, but the attack primitive is trivially achievable at scale through open-source project contributions targeting the AI developer community.

How does the attack unfold?

Workspace Delivery

Adversary plants a crafted .env file in a shared or public OpenClaw project repository, setting STATE_DIRECTORY to an attacker-controlled local path pre-loaded with malicious dependencies.

AML.T0010.001

User Execution

Victim developer clones or opens the project workspace in a vulnerable OpenClaw installation (before 2026.5.2), triggering dependency resolution on startup.

AML.T0011

Dependency Hijacking

OpenClaw resolves its bundled runtime dependency roots from the attacker-supplied STATE_DIRECTORY path, loading malicious code instead of legitimate packages.

AML.T0010.001

Code Execution & Credential Theft

Malicious payload executes in the developer's context, exfiltrating API keys and secrets from .env, manipulating agent tool definitions, or establishing persistence in the CI/CD pipeline.

AML.T0025

Workspace Delivery

Adversary plants a crafted .env file in a shared or public OpenClaw project repository, setting STATE_DIRECTORY to an attacker-controlled local path pre-loaded with malicious dependencies.

AML.T0010.001

User Execution

Victim developer clones or opens the project workspace in a vulnerable OpenClaw installation (before 2026.5.2), triggering dependency resolution on startup.

AML.T0011

Dependency Hijacking

OpenClaw resolves its bundled runtime dependency roots from the attacker-supplied STATE_DIRECTORY path, loading malicious code instead of legitimate packages.

AML.T0010.001

Code Execution & Credential Theft

Malicious payload executes in the developer's context, exfiltrating API keys and secrets from .env, manipulating agent tool definitions, or establishing persistence in the CI/CD pipeline.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade OpenClaw to version 2026.5.2 or later immediately — this is the only complete fix.
If patching is delayed, manually review all workspace .env files for unexpected STATE_DIRECTORY values before opening any project.
Implement file integrity monitoring on workspace configuration files in CI/CD environments to detect tampering.
Restrict write access to project directories and .env files to authorized principals only.
Treat all externally-sourced OpenClaw workspaces as untrusted until verified; sandbox dependency resolution in isolated environments where possible.
Add .env content validation as a pre-build gate in CI pipelines scanning for STATE_DIRECTORY overrides.

How is it classified?

Supply Chain Code Execution Agent Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system components and tools

NIST AI RMF

GOVERN 6.1 - AI supply chain risk policies

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-53858?

OpenClaw before version 2026.5.2 contains an untrusted search path vulnerability (CWE-426) in which a workspace .env file can set STATE_DIRECTORY to redirect runtime dependency resolution to attacker-controlled local paths, enabling arbitrary code execution in the developer's context. The attack complexity is low and requires no privileges — an adversary only needs to deliver a malicious project workspace, a trivially achievable primitive through public repository contributions or shared team projects. No public exploits exist and this CVE is absent from CISA KEV, but the low exploitation bar makes prompt patching urgent for any organization running OpenClaw in AI agent development workflows. Upgrade to 2026.5.2 immediately; as a short-term workaround, audit all workspace .env files for unexpected STATE_DIRECTORY values and restrict write access to project directories in CI/CD environments.

Is CVE-2026-53858 actively exploited?

No confirmed active exploitation of CVE-2026-53858 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53858?

1. Upgrade OpenClaw to version 2026.5.2 or later immediately — this is the only complete fix. 2. If patching is delayed, manually review all workspace .env files for unexpected STATE_DIRECTORY values before opening any project. 3. Implement file integrity monitoring on workspace configuration files in CI/CD environments to detect tampering. 4. Restrict write access to project directories and .env files to authorized principals only. 5. Treat all externally-sourced OpenClaw workspaces as untrusted until verified; sandbox dependency resolution in isolated environments where possible. 6. Add .env content validation as a pre-build gate in CI pipelines scanning for STATE_DIRECTORY overrides.

What systems are affected by CVE-2026-53858?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development environments, CI/CD pipelines, multi-agent orchestration.

What is the CVSS score for CVE-2026-53858?

CVE-2026-53858 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development environmentsCI/CD pipelinesmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

Exploitation Scenario

An adversary contributes a seemingly benign AI agent project to a public GitHub repository, embedding a workspace .env file that sets STATE_DIRECTORY to a path pre-loaded with trojanized versions of OpenClaw's runtime dependencies. A developer clones the repository and opens it in a vulnerable OpenClaw installation. During startup, OpenClaw resolves its dependency roots from the attacker-supplied STATE_DIRECTORY value and loads the malicious code. The payload executes silently before any user-visible error, exfiltrating .env secrets including LLM API keys and database credentials, injecting backdoor behavior into the agent's tools, or establishing persistence in the CI/CD pipeline by poisoning build artifacts used in downstream agent deployments.

Weaknesses (CWE)

CWE-426 Untrusted Search Path Primary

CWE-426 — Untrusted Search Path: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.