CVE-2026-53846: OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath

Synopsis

This is a path traversal vulnerability in OpenClaw, a build tool, affecting versions before 2026.4.29. The flaw is in the install helper, which allows a workspace .env file to override the npm_execpath setting and redirect dependency installation to an arbitrary local executable. Successful exploitation lets an attacker run unintended package-manager binaries during dependency setup, compromising the build environment. A patched-image rebuild at version 2026.4.29 is available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityNot required

  The attacker needs an existing shell or process on the host; no over-the-network access to the service is required.

• AuthenticationNot required

  No credentials or account are needed; the attacker only requires access to the workspace file system, which is the precondition captured by the attack vector.

• Victim interactionRequired

  A user or automated process must trigger dependency installation (for example, running an install or build command) for the malicious npm_execpath override to be executed.

• Attack complexityDetail

  While the basic exploit logic is straightforward, successful exploitation depends on a specific precondition: the attacker must be able to place or influence a .env file in the target workspace before installation runs (AT:P).

Blast Radius

• Reads sensitive build environment variables and credentials available to the build process at the time the injected executable runs.
• Modifies or replaces build artifacts, installed dependencies, or configuration files within the compromised build environment.
• Executes arbitrary local binaries under the identity of the user or service account running the dependency installation step.