Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local workspace access plus a victim-run install (AV:L, UI:R); AC:H for the attack-requirement of a writable workspace and present package-manager target; PR:N since the attacker needs no OpenClaw auth; high C/I, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.29.
DescriptionCVE.org
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
AnalysisAI
Untrusted search path in OpenClaw versions prior to 2026.4.29 lets workspace-local .env files override the npm_execpath variable consulted by the install helper, redirecting bundled dependency installation to an attacker-controlled package-manager binary. An attacker who can place files in the workspace can hijack the runtime dependency setup step to compromise the build environment under the developer's identity, with no public exploit identified at time of analysis.
Technical ContextAI
OpenClaw is a JavaScript/Node-based project that uses an install helper to fetch bundled runtime dependencies via the package manager indicated by the npm_execpath environment variable (a standard npm/Yarn convention pointing to the package-manager executable invoked for child scripts). Per CWE-426 (Untrusted Search Path), the helper resolves the executable path from environment input read out of project-local .env files, so a malicious value placed in a workspace .env can point npm_execpath at any binary on the local filesystem. Combined with path traversal in how the helper loads .env, this lets a relative path escape the expected workspace directory and reach an arbitrary executable, which the helper then runs as the package-installation tool. The single affected CPE, cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*, covers all OpenClaw versions before 2026.4.29.
RemediationAI
Vendor-released patch: upgrade OpenClaw to 2026.4.29 or later, which is the fixed release identified in GHSA-24vr-rprv-67rf (https://github.com/openclaw/openclaw/security/advisories/GHSA-24vr-rprv-67rf) and the VulnCheck advisory (https://www.vulncheck.com/advisories/openclaw-arbitrary-package-manager-execution-via-workspace-env-npm-execpath). Until the upgrade is applied, do not run OpenClaw install/setup steps against untrusted workspaces or repositories, delete or audit any unexpected .env files at the workspace root before invoking dependency installation, and explicitly unset or pin npm_execpath in the shell environment used to run installs so a workspace .env cannot override the resolved package-manager path (side effect: build scripts that rely on the calling package manager being auto-detected may need an explicit --npm/--yarn flag). For CI, restrict who can push .env files and run installs inside ephemeral, isolated runners so a hijacked package-manager binary cannot persist or reach long-lived secrets.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37148
GHSA-24vr-rprv-67rf