CVE-2026-53865: OpenClaw path traversal enables

CISO Take

OpenClaw before 2026.5.2 contains an untrusted search path vulnerability (CWE-426) in maintenance task execution, where workspace-derived environment paths can be manipulated to cause the AI agent framework to run attacker-controlled local executables during routine operations. Any low-privileged user on a host running OpenClaw can exploit this with zero user interaction required — the low attack complexity means weaponization demands minimal skill, and the high confidentiality and integrity impact (C:H/I:H) puts agent configurations, API keys, and model data at risk. There is no active exploitation evidence and no KEV listing, but shared development environments and CI/CD pipelines running OpenClaw significantly widen the realistic attacker population. Upgrade to OpenClaw 2026.5.2 immediately; if patching must be delayed, restrict workspace directory write permissions to trusted accounts and enable process execution monitoring for unexpected binaries spawned by OpenClaw maintenance routines.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High. CVSS 7.1 with local access, low complexity, and low privileges required creates a straightforward lateral movement or privilege escalation path for any local attacker. The local attack vector limits remote exploitation, but shared AI development environments — where OpenClaw is commonly deployed — often have multiple authenticated users, widening the realistic attacker population considerably. High confidentiality and integrity impact means successful exploitation can expose agent configurations, API keys, and model outputs, or enable persistent code execution within the agent process context. No KEV listing or public exploits moderate immediate urgency, but CWE-426 exploitation patterns are well-understood and the gap between disclosure and weaponization will be short.

How does the attack unfold?

Local Access

Attacker obtains a low-privileged local account on a host where OpenClaw is deployed — achievable via phishing, credential reuse, or shared developer workstation access.

AML.T0012

Path Manipulation

Attacker plants a malicious executable in a workspace directory and manipulates workspace-derived environment path variables that OpenClaw reads during maintenance task initialization.

Maintenance Trigger

A scheduled or operator-triggered OpenClaw maintenance task resolves the trash command path using the attacker-controlled workspace-derived service path (CWE-426), selecting the malicious binary instead of the intended system utility.

AML.T0053

Code Execution & Impact

The malicious binary executes with OpenClaw process privileges, enabling credential theft, persistent backdoor installation, or exfiltration of agent configurations and API keys stored on the host.

AML.T0050

Local Access

Attacker obtains a low-privileged local account on a host where OpenClaw is deployed — achievable via phishing, credential reuse, or shared developer workstation access.

AML.T0012

Path Manipulation

Attacker plants a malicious executable in a workspace directory and manipulates workspace-derived environment path variables that OpenClaw reads during maintenance task initialization.

Maintenance Trigger

A scheduled or operator-triggered OpenClaw maintenance task resolves the trash command path using the attacker-controlled workspace-derived service path (CWE-426), selecting the malicious binary instead of the intended system utility.

AML.T0053

Code Execution & Impact

The malicious binary executes with OpenClaw process privileges, enabling credential theft, persistent backdoor installation, or exfiltration of agent configurations and API keys stored on the host.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade OpenClaw to version 2026.5.2 or later — this is the only complete remediation.
If immediate patching is not possible, restrict write permissions on workspace directories to the minimum required users, preventing path manipulation by low-privileged accounts.
Run OpenClaw processes under dedicated service accounts with narrowly scoped filesystem permissions.
In shared or CI/CD environments, isolate OpenClaw instances in containers with read-only workspace mounts where feasible.
Enable process execution monitoring (EDR or auditd rules) to detect unexpected binaries spawned from OpenClaw maintenance operations — look for child processes of OpenClaw that are not part of its expected binary list.
Audit PATH and workspace-derived environment variables in existing OpenClaw deployment configurations for signs of prior tampering.

How is it classified?

Code Execution Supply Chain Agent Framework AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Risks or side effects of AI systems are monitored and managed

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53865?

OpenClaw before 2026.5.2 contains an untrusted search path vulnerability (CWE-426) in maintenance task execution, where workspace-derived environment paths can be manipulated to cause the AI agent framework to run attacker-controlled local executables during routine operations. Any low-privileged user on a host running OpenClaw can exploit this with zero user interaction required — the low attack complexity means weaponization demands minimal skill, and the high confidentiality and integrity impact (C:H/I:H) puts agent configurations, API keys, and model data at risk. There is no active exploitation evidence and no KEV listing, but shared development environments and CI/CD pipelines running OpenClaw significantly widen the realistic attacker population. Upgrade to OpenClaw 2026.5.2 immediately; if patching must be delayed, restrict workspace directory write permissions to trusted accounts and enable process execution monitoring for unexpected binaries spawned by OpenClaw maintenance routines.

Is CVE-2026-53865 actively exploited?

No confirmed active exploitation of CVE-2026-53865 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53865?

1. Upgrade OpenClaw to version 2026.5.2 or later — this is the only complete remediation. 2. If immediate patching is not possible, restrict write permissions on workspace directories to the minimum required users, preventing path manipulation by low-privileged accounts. 3. Run OpenClaw processes under dedicated service accounts with narrowly scoped filesystem permissions. 4. In shared or CI/CD environments, isolate OpenClaw instances in containers with read-only workspace mounts where feasible. 5. Enable process execution monitoring (EDR or auditd rules) to detect unexpected binaries spawned from OpenClaw maintenance operations — look for child processes of OpenClaw that are not part of its expected binary list. 6. Audit PATH and workspace-derived environment variables in existing OpenClaw deployment configurations for signs of prior tampering.

What systems are affected by CVE-2026-53865?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development workspaces, local AI agent deployments, CI/CD AI pipelines.

What is the CVSS score for CVE-2026-53865?

CVE-2026-53865 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development workspaceslocal AI agent deploymentsCI/CD AI pipelines

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.

Exploitation Scenario

An attacker with a low-privileged local account on a host running OpenClaw creates a malicious executable (e.g., a reverse shell or credential harvester) and places it in a workspace directory that OpenClaw reads when resolving service paths during maintenance operations. When a scheduled maintenance task runs — triggered automatically by cron or by an operator — OpenClaw's untrusted path resolution selects the malicious binary as the trash command, executing it with OpenClaw process privileges. In environments where OpenClaw runs with elevated privileges to manage agent tooling and file operations, this escalates to full system compromise, enabling exfiltration of API keys, agent configurations, and any model data or intermediate outputs stored on the host.

Weaknesses (CWE)

CWE-426 Untrusted Search Path Primary

CWE-426 — Untrusted Search Path: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.