CVE-2026-53858
HIGH 7OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
ELEVATED IMPACT
Severe if exploited (CVSS 7), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 3rd percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
7CVSS 4.0 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityNone
What an attacker needs
- ⚠Access: Requires local access to the host
- ✓Privileges: No account or privileges required
- ⚠User interaction: Requires active user interaction
- ✓Complexity: No special conditions — reliably repeatable
- ⚠Requirements: Specific conditions must be present
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
- CWE-426: Untrusted search path
CVSS vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N