How is CVE-2026-53858 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (not-required): No credentials are required; the attacker does not need any account on the system to stage the malicious STATE_DIRECTORY value. Victim interaction (required): A victim must open or process the malicious workspace containing the poisoned .env file, making this a social-engineering-dependent attack. Attack complexity (info): Although the exploit logic itself is straightforward, successful exploitation depends on a specific precondition (AT:P), meaning particular environmental or timing factors must align for dependency resolution to be redirected.

What is the impact of CVE-2026-53858?

The attacker executes arbitrary code in the context of the OpenClaw process by redirecting runtime dependency loading to a malicious local path. All data accessible to the running OpenClaw process, including stored credentials, tokens, and workspace files, is exposed to the attacker (VC:H). The attacker can write or modify any files and data that the OpenClaw process has permission to access (VI:H). Service availability is not directly affected by this vulnerability (VA:N).

Back to search

HIGHCVE-2026-53858Published 2026-06-16Modified 2026-06-16CNA VulnCheck

CVE-2026-53858: OpenClaw < 2026.5.2 - Arbitrary Runtime Dependency Loading via STATE_DIRECTORY Environment Variable

Q: What is CVE-2026-53858?

An environment variable injection vulnerability in OpenClaw before version 2026.5.2 allows an attacker to manipulate the STATE_DIRECTORY variable in a workspace .env file, redirecting runtime dependency resolution to attacker-controlled local paths. The attack requires local access and a victim to interact with a malicious workspace, but no credentials are needed. Successful exploitation allows arbitrary code execution when OpenClaw resolves its bundled runtime dependencies. A patched-image rebuild at version 2026.5.2 is available on HarborGuard for affected environments.

Q: How is CVE-2026-53858 fixed?

A patched-image rebuild at OpenClaw 2026.5.2 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, the flow includes a rebuild, a regression-test run, and a PR opened against affected workloads.

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: 2026.5.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An environment variable injection vulnerability in OpenClaw before version 2026.5.2 allows an attacker to manipulate the STATE_DIRECTORY variable in a workspace .env file, redirecting runtime dependency resolution to attacker-controlled local paths. The attack requires local access and a victim to interact with a malicious workspace, but no credentials are needed. Successful exploitation allows arbitrary code execution when OpenClaw resolves its bundled runtime dependencies. A patched-image rebuild at version 2026.5.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-53858 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication via upstream feed ingestion. Coverage extends to custom-built images that bundle OpenClaw, not just official upstream images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.0 (HIGH) and weighting it against each customer environment's compliance policy to surface it at the appropriate priority. Routing to the right team inbox within each customer org is handled automatically based on configured ownership rules.

Available

Patch

A patched-image rebuild at OpenClaw 2026.5.2 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, the flow includes a rebuild, a regression-test run, and a PR opened against affected workloads.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationNot required
No credentials are required; the attacker does not need any account on the system to stage the malicious STATE_DIRECTORY value.
Victim interactionRequired
A victim must open or process the malicious workspace containing the poisoned .env file, making this a social-engineering-dependent attack.
Attack complexityDetail
Although the exploit logic itself is straightforward, successful exploitation depends on a specific precondition (AT:P), meaning particular environmental or timing factors must align for dependency resolution to be redirected.

Blast Radius

The attacker executes arbitrary code in the context of the OpenClaw process by redirecting runtime dependency loading to a malicious local path.
All data accessible to the running OpenClaw process, including stored credentials, tokens, and workspace files, is exposed to the attacker (VC:H).
The attacker can write or modify any files and data that the OpenClaw process has permission to access (VI:H).
Service availability is not directly affected by this vulnerability (VA:N).

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53858 activates as soon as the CVE is ingested from upstream feeds, matching any image that includes an OpenClaw version below 2026.5.2. A rebuild at the fixed version 2026.5.2 is available for affected images. For customers who opt into auto-remediation, HarborGuard can execute the full rebuild-and-PR flow, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Because exploitation requires a victim to open a malicious workspace, teams that cannot immediately upgrade should consider restricting the environments where untrusted workspace files can be loaded, for example by enforcing policy controls that prevent unvetted .env files from reaching developer or CI workstations. HarborGuard re-checks advisory status on every ingest cycle and will surface the patched rebuild automatically once it is confirmed in the upstream feed.

See how HarborGuard automates this

Fix available

2026.5.2

Affected packages

OpenClaw / OpenClaw
< 2026.5.2 (from 0)
Fixed in 2026.5.2

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available