Description
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.
Published: 2026-06-16
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insufficient sanitization issue in the host environment sanitizer that allows unrestricted manipulation of Node.js control variables. Because those variables can alter child process behavior or the paths used for coverage output, an attacker could inject commands or redirect outputs during a workspace build. This flaw corresponds to CWE‑184, indicating a flaw in how security‑relevant values are handled. The resulting impact ranges from unauthorized execution of code within the workspace to tampering with build artifacts, potentially undermining the integrity of the simulation environment.

Affected Systems

The affected product is OpenClaw from the vendor OpenClaw. Versions prior to 2026.5.26 contain the flaw. No additional vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.6 classifies the issue as high severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation as of the current data, and the vulnerability is not included in the CISA KEV catalog. The attack vector is inferred to be local or within the workspace context; an attacker who can modify the workspace .env files, tool environment overrides, or skill environment blocks can supply malicious Node.js control variables. When such variables are unfiltered, they propagate to child processes or coverage output configuration, enabling the potential exploitation path.

Generated by OpenCVE AI on June 17, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.5.26 or later to apply the vendor patch.
  • Limit write permissions on .env files, tool environment override directories, and skill environment blocks to only trusted users.
  • Sanitize environment variables in build scripts so that only a validated subset of Node.js control variables is passed to child processes.

Generated by OpenCVE AI on June 17, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ccwh-wwpp-6wg5 OpenClaw: Host environment sanitizer missed two Node.js control variables
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.
Title OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-184
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T14:23:19.819Z

Reserved: 2026-06-10T21:22:34.481Z

Link: CVE-2026-53864

cve-icon Vulnrichment

Updated: 2026-06-16T18:47:52.939Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:04.760

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:30:12Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs