Vulnerability Details CVE-2026-53858
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 2.5%
CVSS Severity
CVSS v3 Score 7.1