Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local workspace-trust flaw: attacker needs ability to write a .env in the victim's workspace (PR:L) and the victim must open it (UI:R); resulting code execution yields high C/I but no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 npm packages depend on openclaw (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.5.2.
DescriptionCVE.org
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
AnalysisAI
Untrusted search path in OpenClaw before 2026.5.2 allows local attackers who can influence a workspace .env file to redirect bundled runtime dependency loading to attacker-controlled paths, resulting in arbitrary code execution during dependency resolution. The STATE_DIRECTORY environment variable is not validated before being used to anchor runtime dependency roots, so a poisoned workspace can execute code in the context of a user who opens it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
OpenClaw is an open-source workspace/runtime tool that resolves bundled runtime dependencies relative to a state directory configured via the STATE_DIRECTORY environment variable, which can be supplied by a project's workspace .env file. The flaw maps to CWE-426 (Untrusted Search Path): because the runtime trusts a value loaded from in-workspace configuration, an attacker who controls that .env can point dependency lookup at arbitrary local paths containing malicious modules. The single CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* indicates the upstream OpenClaw application itself across all versions prior to 2026.5.2 is in scope, with no separate vendor distribution split.
RemediationAI
Vendor-released patch: upgrade OpenClaw to 2026.5.2 or later, which constrains how STATE_DIRECTORY is resolved for bundled runtime dependencies, per the GHSA at https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x. Until the upgrade can be applied, treat workspace .env files as untrusted input: do not open OpenClaw workspaces obtained from third parties, strip or override STATE_DIRECTORY from .env loading (accepting that projects relying on a custom state directory will break), and run OpenClaw under a least-privileged user account so any code executed during dependency resolution is contained. On shared developer or CI hosts, consider blocking write access to repository .env files from unprivileged automation and reviewing recently modified .env files for unexpected STATE_DIRECTORY entries; the trade-off is added friction for legitimate per-project configuration overrides.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37160
GHSA-4qgr-57jq-93vh