Impact
The vulnerability is an insufficient sanitization issue in the host environment sanitizer that allows unrestricted manipulation of Node.js control variables. Because those variables can alter child process behavior or the paths used for coverage output, an attacker could inject commands or redirect outputs during a workspace build. This flaw corresponds to CWE‑184, indicating a flaw in how security‑relevant values are handled. The resulting impact ranges from unauthorized execution of code within the workspace to tampering with build artifacts, potentially undermining the integrity of the simulation environment.
Affected Systems
The affected product is OpenClaw from the vendor OpenClaw. Versions prior to 2026.5.26 contain the flaw. No additional vendors or products are listed.
Risk and Exploitability
The CVSS score of 7.6 classifies the issue as high severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation as of the current data, and the vulnerability is not included in the CISA KEV catalog. The attack vector is inferred to be local or within the workspace context; an attacker who can modify the workspace .env files, tool environment overrides, or skill environment blocks can supply malicious Node.js control variables. When such variables are unfiltered, they propagate to child processes or coverage output configuration, enabling the potential exploitation path.
OpenCVE Enrichment
Github GHSA