Description
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
Published: 2026-06-16
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw prior to 2026.4.29 is vulnerable to a path traversal flaw in its install helper that lets the workspace .env file override the npm_execpath setting used during bundled runtime dependency installation. When an attacker with workspace access places a malicious npm_execpath entry, the package manager will execute unintended local executables at install time, giving the attacker arbitrary code execution in the build environment. This flaw is defined as CWE‑426 and can compromise confidentiality, integrity, and availability of the development or CI workflow.

Affected Systems

The vulnerability affects deployments of OpenClaw that are older than version 2026.4.29. Any instance running 2026.4.28 or earlier, regardless of the operating system, is susceptible when an attacker can modify or create a workspace .env file.

Risk and Exploitability

The CVSS score of 7 indicates a high severity of the vulnerability, while the EPSS score of less than 1% suggests a low current probability of exploitation. The issue is not listed in CISA’s KEV catalogue, further indicating limited widespread exploitation. Attackers would need local workspace access and the ability to write to the .env file; thus the vector is inferred to be a trusted insider or compromised workstation. Although the likelihood of a public exploit is low at present, the potential impact warrants prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.29 or later.
  • If an upgrade is not immediately feasible, remove or neutralize any npm_execpath entries from existing workspace .env files and prevent ordinary users from writing to these files.
  • Audit all workspace .env files for suspicious entries and enforce a policy that disallows overriding npm_execpath or similar settings.

Generated by OpenCVE AI on June 17, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-24vr-rprv-67rf OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
Title OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-426
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T14:24:09.724Z

Reserved: 2026-06-10T21:21:12.125Z

Link: CVE-2026-53846

cve-icon Vulnrichment

Updated: 2026-06-16T18:54:26.633Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:01.653

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:30:12Z

Weaknesses