Environment Variable Injection Vulnerability in OpenClaw by OpenClaw
CVE-2026-53842

7HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-53842?

OpenClaw prior to version 2026.5.2 contains a security vulnerability that allows environment variable injection through the CLOUDSDK_PYTHON variable. This incident can occur during the setup execution for Gmail via gcloud. If attackers gain access to specific repository files, they can manipulate the configuration to redirect Python runtime commands to unexpected local paths, which may lead to the execution of arbitrary code. This loophole underscores the importance of securing environment configurations against unauthorized modifications.

Affected Version(s)

OpenClaw 0 < 2026.5.2

OpenClaw 2026.5.2

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/openclaw-arbitrary-p...

third-party-advisory

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

侯海飞 (@feynman-hou)

CVE-2026-53842 Data

JSON