EXECUTIVE SUMMARY:
A series of vulnerabilities have been found in the OpenClaw npm package. The flaws span insecure environment variable handling, mutable identifier binding, exec allowlist bypasses, and privilege-escalation pathways that could allow unauthorized code execution, command injection, or token restoration. An attacker with access to a repository workspace, a compromised Discord/Zalo account, or the ability to influence tool arguments could manipulate runtime dependency resolution or bypass policy checks. The resulting risk includes data exfiltration, unauthorized system commands, and prolonged device access, threatening operational continuity and compliance.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A series of vulnerabilities have been found in the OpenClaw npm package. The flaws span insecure environment variable handling, mutable identifier binding, exec allowlist bypasses, and privilege-escalation pathways that could allow unauthorized code execution, command injection, or token restoration. An attacker with access to a repository workspace, a compromised Discord/Zalo account, or the ability to influence tool arguments could manipulate runtime dependency resolution or bypass policy checks. The resulting risk includes data exfiltration, unauthorized system commands, and prolonged device access, threatening operational continuity and compliance.[emaillocker id="1283"]
CVE-2026-53858 with a CVSS score of 7.0 – A workspace .env file can set STATE_DIRECTORY, causing OpenClaw to resolve runtime dependencies from an attacker‑controlled path; exploitation requires a trusted operator to open a malicious repository.
CVE-2026-53849 with a CVSS score of 8.6 – The Discord allowFrom feature matches mutable display names, allowing a user who can change their Discord name to hijack policy entries and gain unauthorized agent access; attacker needs a Discord account with mutable profile fields.
CVE-2026-53846 with a CVSS score of 7.0 – By overriding npm_execpath via a workspace .env, an adversary can direct the package manager to execute a malicious binary during dependency installation; requires a repository opened by a trusted operator.
CVE-2026-53853 with a CVSS score of 7.1 – On Linux/macOS, exec allowlist entries that include argPattern are ignored, permitting arbitrary arguments for an allowlisted executable; attacker must influence a lower‑trust sender to trigger exec calls.
CVE-2026-53857 with a CVSS score of 8.6 – Zalo allowFrom binds to mutable display names, enabling a contact who can alter their display name to bypass identity checks and receive agent responses intended for another user; exploitation needs control of a Zalo profile.
CVE-2026-53855 with a CVSS score of 7.6 – Shell positional parameters can bypass strict inline‑eval checks, allowing crafted command requests to inject code via shell carriers; attacker must supply command data that reaches the shell execution path.
CVE-2026-53865 with a CVSS score of 7.2 – A workspace‑derived PATH can cause OpenClaw to select an unintended trash executable, leading to execution of arbitrary code; requires a malicious .env in a repository opened by an operator.
CVE-2026-53842 with a CVSS score of 7.0 – The CLOUDSDK_PYTHON variable from a workspace .env can force gcloud to use a compromised Python interpreter during Gmail setup; attacker needs to influence the workspace environment.
CVE-2026-53866 with a CVSS score of 7.6 – Shell inline‑command parsing may miss allowlist verification, permitting execution of unapproved shell commands; exploitation is possible when a lower‑trust sender crafts inline‑command payloads.
CVE-2026-53843 with a CVSS score of 8.8 – A pairing‑scoped device session can survive token revocation and re‑establish node authority, giving a compromised device continued access; attacker must have an already paired device and exploit stale session handling.
CVE-2026-53864 with a CVSS score of 7.6 – A vulnerability in OpenClaw allows lower-trust environment sources to pass Node.js control variables through the sanitizer, potentially influencing child process execution and coverage output paths.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-wc84-j36w-pw4x
https://github.com/advisories/GHSA-cw4q-gqg5-g38h
https://github.com/advisories/GHSA-24vr-rprv-67rf
https://github.com/advisories/GHSA-v2ww-5rh7-2h5v
https://github.com/advisories/GHSA-8c59-hr4w-qg69
https://github.com/advisories/GHSA-5cj2-3jr2-5h77
https://github.com/advisories/GHSA-rx78-29qr-5hq8
https://github.com/advisories/GHSA-fq9j-vw4w-fr6v
https://github.com/advisories/GHSA-f397-5vjw-v2c2
https://github.com/advisories/GHSA-q99w-vh6v-q3v7
https://github.com/advisories/GHSA-ccwh-wwpp-6wg5