CVE-2026-53864: OpenClaw env var bypass enables child

CISO Take

OpenClaw before 2026.5.26 fails to block Node.js control variables (such as NODE_OPTIONS, NODE_PATH) in its host environment sanitizer, allowing any attacker with write access to workspace .env files, tool environment overrides, or skill environment blocks to inject variables that flow unfiltered into child processes spawned by the agent. For AI agent deployments this is high-stakes: NODE_OPTIONS=--require lets an attacker load an arbitrary module before any application code runs, making this a reliable path to code execution inside the agent's child process tree — where production API keys, database credentials, and other secrets typically live in the process environment. Attack complexity is low and only low privileges are required (CVSS AC:L/PR:L), meaning any insider, compromised developer workstation, or CI/CD pipeline with workspace write access is a viable entry point; no public exploit or KEV listing exists today, but the bypass pattern is straightforward once the sanitizer gap is understood. Upgrade to OpenClaw 2026.5.26 immediately, audit all workspace and tool configuration files for unauthorized Node.js variable injections, and restrict write access to agent configuration directories.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High. CVSS 8.1 with low attack complexity and low privilege requirement represents an accessible attack surface for insiders, compromised developer accounts, or any principal with workspace configuration write access. The C:H/I:H impact (no availability component) aligns with the realistic outcome: arbitrary code execution in child processes enabling full credential exfiltration and persistent manipulation of agent outputs. CWE-184 (incomplete blocklist) vulnerabilities are inherently fragile — once one bypass is known, the pattern generalizes to other unlisted variables. Not in CISA KEV and no public exploit exists, but the low bar for exploitation and the sensitive execution context of AI agents elevates operational risk significantly.

How does the attack unfold?

Initial Access

Attacker with low-privilege access — compromised developer account, insider, or CI/CD pipeline credential — gains write access to an OpenClaw workspace directory containing .env files or tool/skill configuration.

AML.T0012

Configuration Injection

Attacker inserts malicious Node.js control variables (e.g., NODE_OPTIONS=--require=/tmp/malicious.js) into the workspace .env file, tool environment override, or skill environment block; OpenClaw's insufficient sanitizer fails to detect or block the entry.

AML.T0081

Child Process Exploitation

OpenClaw spawns a child process for tool execution or coverage generation; the unsanitized NODE_OPTIONS value causes Node.js to unconditionally load the attacker's module before any application code runs, achieving arbitrary code execution.

AML.T0053

Credential Exfiltration & Persistence

The injected module harvests API keys, LLM provider tokens, and database credentials from the child process environment, establishes an outbound reverse shell, and optionally patches agent tool output to silently manipulate AI decisions for ongoing access.

AML.T0105

Initial Access

Attacker with low-privilege access — compromised developer account, insider, or CI/CD pipeline credential — gains write access to an OpenClaw workspace directory containing .env files or tool/skill configuration.

AML.T0012

Configuration Injection

Attacker inserts malicious Node.js control variables (e.g., NODE_OPTIONS=--require=/tmp/malicious.js) into the workspace .env file, tool environment override, or skill environment block; OpenClaw's insufficient sanitizer fails to detect or block the entry.

AML.T0081

Child Process Exploitation

OpenClaw spawns a child process for tool execution or coverage generation; the unsanitized NODE_OPTIONS value causes Node.js to unconditionally load the attacker's module before any application code runs, achieving arbitrary code execution.

AML.T0053

Credential Exfiltration & Persistence

The injected module harvests API keys, LLM provider tokens, and database credentials from the child process environment, establishes an outbound reverse shell, and optionally patches agent tool output to silently manipulate AI decisions for ongoing access.

AML.T0105

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade OpenClaw to 2026.5.26 or later — this is the only complete fix.
Until patched, audit all workspace .env files, tool environment override configurations, and skill environment blocks for unauthorized Node.js control variable entries: NODE_OPTIONS, NODE_PATH, NODE_TLS_REJECT_UNAUTHORIZED, V8_COVERAGE, NODE_V8_COVERAGE, NODE_CHANNEL_FD.
Restrict filesystem write access to workspace and skill configuration directories using ACLs — only trusted principals should modify agent configuration.
Implement file integrity monitoring (FIM) on OpenClaw workspace directories to detect unauthorized modifications in near-real-time.
In CI/CD environments, enforce an environment variable allowlist and prevent user-controlled inputs from reaching agent configuration files.
Review child process invocation logs for --require flags or unexpected module paths in NODE_OPTIONS.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system security — input validation

NIST AI RMF

MANAGE 2.2 - Mechanisms for identifying and managing AI risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-53864?

OpenClaw before 2026.5.26 fails to block Node.js control variables (such as NODE_OPTIONS, NODE_PATH) in its host environment sanitizer, allowing any attacker with write access to workspace .env files, tool environment overrides, or skill environment blocks to inject variables that flow unfiltered into child processes spawned by the agent. For AI agent deployments this is high-stakes: NODE_OPTIONS=--require lets an attacker load an arbitrary module before any application code runs, making this a reliable path to code execution inside the agent's child process tree — where production API keys, database credentials, and other secrets typically live in the process environment. Attack complexity is low and only low privileges are required (CVSS AC:L/PR:L), meaning any insider, compromised developer workstation, or CI/CD pipeline with workspace write access is a viable entry point; no public exploit or KEV listing exists today, but the bypass pattern is straightforward once the sanitizer gap is understood. Upgrade to OpenClaw 2026.5.26 immediately, audit all workspace and tool configuration files for unauthorized Node.js variable injections, and restrict write access to agent configuration directories.

Is CVE-2026-53864 actively exploited?

No confirmed active exploitation of CVE-2026-53864 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53864?

1. Upgrade OpenClaw to 2026.5.26 or later — this is the only complete fix. 2. Until patched, audit all workspace .env files, tool environment override configurations, and skill environment blocks for unauthorized Node.js control variable entries: NODE_OPTIONS, NODE_PATH, NODE_TLS_REJECT_UNAUTHORIZED, V8_COVERAGE, NODE_V8_COVERAGE, NODE_CHANNEL_FD. 3. Restrict filesystem write access to workspace and skill configuration directories using ACLs — only trusted principals should modify agent configuration. 4. Implement file integrity monitoring (FIM) on OpenClaw workspace directories to detect unauthorized modifications in near-real-time. 5. In CI/CD environments, enforce an environment variable allowlist and prevent user-controlled inputs from reaching agent configuration files. 6. Review child process invocation logs for --require flags or unexpected module paths in NODE_OPTIONS.

What systems are affected by CVE-2026-53864?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, agent tool execution pipelines, CI/CD pipelines running AI agent workloads, multi-tenant or shared workspace environments.

What is the CVSS score for CVE-2026-53864?

CVE-2026-53864 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksagent tool execution pipelinesCI/CD pipelines running AI agent workloadsmulti-tenant or shared workspace environments

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

Exploitation Scenario

An attacker with a compromised developer account (or insider access) modifies the OpenClaw workspace .env file, inserting NODE_OPTIONS=--require=/tmp/malicious.js. Alternatively, they inject the same variable via a tool environment override or skill environment block — configuration surfaces OpenClaw exposes for agent customization. When OpenClaw subsequently spawns a child process to execute a tool call or generate coverage output, Node.js loads the attacker's module unconditionally before any application code runs. The malicious module reads all environment variables (harvesting LLM API keys, database credentials, Stripe secrets), establishes an outbound reverse shell, and optionally patches the agent's tool output functions to silently manipulate AI decisions downstream — all without triggering alerts, since the child process appears to complete normally.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.