Description
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker with access to a trusted operator workspace to override the Homebrew executable that is used during skill install flows. By manipulating the workspace .env file, the attacker can cause an unintended Homebrew-compatible executable to be executed. The weakness is classified as CWE-426 – Untrusted Search Path, enabling the execution of arbitrary code without proper validation of the executable path, potentially leading to complete system compromise.

Affected Systems

Products affected are OpenClaw (OpenClaw:OpenClaw) versions earlier than 2026.5.27. Any installation using an older version that relies on the aforementioned skill install mechanism is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity of impact. EPSS data is not available, so the precise likelihood of exploitation is uncertain. The vulnerability is not listed in CISA KEV, indicating no known exploitation in the wild yet. The likely attack vector involves an attacker who can gain authenticated access to a trusted operator's workspace and modify its .env file, a scenario common in internal environments or where credentials are compromised.

Generated by OpenCVE AI on June 11, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 2026.5.27 patch or later from the OpenClaw vendor to remove the vulnerable skill install flow.
  • In environments where immediate patching is not possible, restrict or remove the ability for workspace .env files to override the Homebrew executable by configuring file permissions or removing the override logic from the installation script.
  • Ensure that only trusted operator accounts can create or modify workspace .env files and audit permissions on these files for changes.

Generated by OpenCVE AI on June 11, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.
Title OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-426
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T20:10:24.289Z

Reserved: 2026-06-10T21:16:07.495Z

Link: CVE-2026-53819

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T21:16:24.227

Modified: 2026-06-11T21:16:24.227

Link: CVE-2026-53819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:00:08Z

Weaknesses