CVE-2026-53842
7.1 HIGHOpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runti...
Published: 2026-06-16 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- CWE
- CWE-426
Description
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53865 — OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service path... (7.1 HIGH)
- CVE-2026-53858 — OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bu... (7.1 HIGH)
- CVE-2026-53846 — OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the ... (7.1 HIGH)
- CVE-2026-54055 — Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)
- CVE-2026-53819 — OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can overri... (8.8 HIGH)