CVE-2026-53858: Local Code Execution via Untrusted Search Path in OpenClaw

OpenClaw is an application platform utilizing a trusted-operator design pattern. This architecture assumes that operators with execution boundaries and plugin management privileges are trusted security actors. However, when operators clone and open external repositories, the attack surface expands to include local configuration files present within the workspace directory.

The vulnerability identified as CVE-2026-53858 is an instance of an untrusted search path vulnerability, classified as CWE-426. The vulnerability occurs during the early parsing phase when OpenClaw opens a new repository or workspace. During this phase, the application processes environment variables defined in local configuration files without proper verification.

By manipulating the STATE_DIRECTORY variable within a repository-specific configuration file, an attacker can override system-defined runtime pathways. This redirection forces the application to load bundled dependencies from the specified local directory rather than the secure, system-defined system state directory. The resulting outcome is arbitrary code execution under the security privileges of the active operator.

The root cause of the flaw lies in the premature evaluation of workspace-level configuration variables before establishing secure runtime boundaries. When an operator loads a workspace, OpenClaw immediately reads and parses the repository's .env file to set up the development context. This parsing routine does not distinguish between user-defined application variables and critical system environment variables.

Specifically, the STATE_DIRECTORY environment variable dictates the directory structure where OpenClaw expects its core execution states and bundled runtime dependencies. When the application engine initializes its dependency resolver, it queries this parsed environment variable to locate its modules. Because the configuration loading process is not isolated, the workspace-level .env file successfully overrides this critical system-level path.

The application subsequently utilizes this unvalidated path to resolve and dynamically import Javascript modules. In Node.js environments, standard module resolution or file system search patterns will traverse the specified folder to find the target modules. This behavior completes the untrusted search path condition, as the application searches an arbitrary directory provided by an external, untrusted source.

The vulnerable path relies on an insecure configuration loader that merges workspace-level .env properties directly into the global process environment. In the vulnerable version, the environment parser reads the local file and applies all key-value pairs directly to process.env without filtering. Below is a representation of the vulnerable configuration sequence:

// Vulnerable configuration sequence in OpenClaw (< 2026.5.2)
const dotenv = require('dotenv');
const path = require('path');
 
function initializeWorkspace(workspacePath) {
    // Vulnerability: Reads local workspace .env and merges it into process.env
    dotenv.config({ path: path.join(workspacePath, '.env') });
    
    // Resolves the state path directly from process.env with no validation
    const stateDir = process.env.STATE_DIRECTORY || '/var/lib/openclaw';
    
    // Loads dynamic libraries from the unvalidated state directory
    const dependencyRoot = path.resolve(stateDir, 'deps');
    const coreRuntime = require(path.join(dependencyRoot, 'runtime.js'));
    coreRuntime.init();
}

In the patched version (2026.5.2), the application introduces an environment variable blocklist and enforces strict isolation of system configuration parameters. Workspace configuration files are parsed into a separate, isolated object, and critical keys such as STATE_DIRECTORY are stripped before any environment merging occurs.

// Patched configuration sequence in OpenClaw (2026.5.2)
const dotenv = require('dotenv');
const path = require('path');
const fs = require('fs');
 
const SYSTEM_BLOCKED_VARS = ['STATE_DIRECTORY', 'NODE_OPTIONS', 'PATH'];
 
function initializeWorkspaceSecure(workspacePath) {
    const envPath = path.join(workspacePath, '.env');
    if (fs.existsSync(envPath)) {
        const parsedEnv = dotenv.parse(fs.readFileSync(envPath));
        
        // Mitigation: Filter out system-critical environment variables
        for (const key of Object.keys(parsedEnv)) {
            if (!SYSTEM_BLOCKED_VARS.includes(key)) {
                process.env[key] = parsedEnv[key];
            } 
        }
    }
    
    // Resolves the state path strictly from secure system environment or defaults
    const stateDir = process.env.STATE_DIRECTORY || '/var/lib/openclaw';
    const dependencyRoot = path.resolve(stateDir, 'deps');
    
    // Ensures load path resolves within a trusted system directory
    const coreRuntime = require(path.join(dependencyRoot, 'runtime.js'));
    coreRuntime.init();
}

The patch successfully prevents workspace-level files from manipulating the runtime path. However, security teams must note that other environment-dependent loaders within the application could still be susceptible to similar overrides if third-party configuration libraries are introduced. Complete remediation requires continuous auditing of all path-building operations that rely on external variables.

Exploiting this vulnerability requires an operator to actively open an untrusted repository containing a crafted directory structure and a malicious .env file. The attack payload consists of two primary components: a configuration file setting the STATE_DIRECTORY variable, and a nested directory structure mirroring the expected dependency structure. Below is a structural representation of the exploit delivery:

The attacker defines the STATE_DIRECTORY variable to point to a relative path within the repository, such as ./attacker_libs. Inside this folder, the attacker places a file at deps/runtime.js containing arbitrary JavaScript code. When the victim clones and opens the workspace within OpenClaw, the configuration parser reads the .env file, updates the process environment, and immediately triggers the loading mechanism.

Because the application attempts to resolve runtime.js via the manipulated path, it loads the attacker's script from ./attacker_libs/deps/runtime.js. The payload executes under the same user privileges and system access rights as the active OpenClaw operator process. This bypasses typical access control lists and permits unauthenticated local code execution on the operator's machine.

The impact of successful exploitation is complete system compromise within the execution context of the OpenClaw operator. Since many operators run these environments with high privileges or within development networks, the execution of arbitrary commands provides a beachhead for lateral movement. The attacker can extract environment secrets, steal access tokens, or modify source code files.

The vulnerability is evaluated with a CVSS v4.0 base score of 7.0 and a CVSS v3.1 score of 7.1. The severity is marked as High because it requires minimal complexity and no special administrative permissions to execute. However, user interaction is a strict prerequisite, as the operator must consciously open the malicious directory.

While there are currently no known public exploits or evidence of active exploitation in the wild, the ease of crafting a payload makes this a highly viable vector for targeted supply-chain attacks. The EPSS score remains low at 0.00124, reflecting the lack of public tooling, but organizations should prioritize remediation to secure internal development environments.

The primary and recommended mitigation is upgrading the OpenClaw installation to version 2026.5.2 or later. This release enforces strict validation on environment variables loaded from workspace directories, preventing the overriding of sensitive system-level paths. Systems should be configured to automatically apply patches for core development and runtime utilities.

If immediate patching is not feasible, operators must implement defensive workarounds. One critical workaround is to disable the automatic loading of workspace-level environment configurations in the system preferences. Operators should also manually inspect any .env files in external repositories for variables like STATE_DIRECTORY before opening them.

Additionally, security teams can implement file integrity monitoring and static analysis rules to flag hazardous configurations. Network isolation policies should also be applied to operator workspaces to restrict outbound connections from development platforms, mitigating the impact of code execution by preventing the exfiltration of credentials or the establishment of reverse shells.