{"vulnerability": "cve-2026-53846", "sightings": [{"uuid": "bda12b64-ecb3-4523-8002-790efb75abd8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53846", "type": "seen", "source": "https://gist.github.com/alon710/98155855dc1ad0c23a241957e18cbd67", "content": "# CVE-2026-53846: CVE-2026-53846: Arbitrary Command Execution via Workspace .env Hijacking in OpenClaw\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-53846\n\n## Summary\nOpenClaw versions prior to 2026.4.29 contain an untrusted search path vulnerability in the install helper module. By loading an untrusted workspace containing a crafted .env file, the application allows overriding critical environment variables, specifically npm_execpath, leading to arbitrary command execution in the context of the running process. This vulnerability is tracked as CVE-2026-53846 and GHSA-24vr-rprv-67rf.\n\n## TL;DR\nOpenClaw before 2026.4.29 allows arbitrary command execution when an operator loads a workspace containing a poisoned .env file that overrides the npm_execpath variable.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-426 (Untrusted Search Path)\n- **Attack Vector**: Local (AV:L)\n- **CVSS Score**: 7.1 (CVSS:3.1)\n- **Exploit Status**: Proof-of-Concept (PoC)\n- **KEV Status**: Not Listed\n- **Impact**: Arbitrary Code Execution (RCE)\n\n## Affected Systems\n\n- OpenClaw workspace initialization modules\n- OpenClaw runtime installer engine\n- **openclaw**: < 2026.4.29 (Fixed in: `2026.4.29`)\n\n## Mitigation\n\n- Upgrade to OpenClaw stable version 2026.4.29 or later to implement environment variable filtering.\n- Block external network access from local build agents and OpenClaw hosting processes.\n- Disable automatic dependency installation features in unvetted multi-tenant workspaces.\n\n**Remediation Steps:**\n1. Audit active OpenClaw deployments and identify instances below version 2026.4.29.\n2. Execute package manager update commands to upgrade 'openclaw' to '2026.4.29'.\n3. Validate configurations to ensure that workspace environment loading restricts 'npm_execpath' overrides.\n\n## References\n\n- [GitHub Security Advisory (GHSA-24vr-rprv-67rf)](https://github.com/openclaw/openclaw/security/advisories/GHSA-24vr-rprv-67rf)\n- [NVD CVE Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-53846)\n- [OSV Advisory Details](https://osv.dev/vulnerability/GHSA-24vr-rprv-67rf)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-53846) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T07:42:00.000000Z"}]}