CVE-2026-53858

Published: Giu 16, 2026 Last Modified: Giu 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,0

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: active

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 7,1

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

426

Untrusted Search Path

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Read Files Or Directories

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x

https://www.vulncheck.com/advisories/openclaw-arbitrary-run…

https://www.vulncheck.com/advisories/openclaw-arbitrary-runtime-dependency-load…

CVE-2026-53858

Description

Untrusted Search Path

Common Consequences

Applicable Platforms

Iscriviti alla newsletter