PatchSiren cyber security CVE debrief
CVE-2026-53846 OpenClaw CVE debrief
CVE-2026-53846 is a HIGH-severity vulnerability in OpenClaw, a software that was vulnerable to a path traversal issue. The vulnerability, which has a CVSS score of 7, was published on 2026-06-16T19:17:01.653Z and last modified on 2026-06-16T20:42:46.200Z. The issue allows attackers with workspace access to execute unintended local package-manager executables during dependency setup, potentially compromising the build environment.
- Vendor
- OpenClaw
- Product
- Unknown
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-18
Who should care
Users of OpenClaw before version 2026.4.29 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a path traversal issue in the install helper of OpenClaw, which allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation.
Defensive priority
HIGH
Recommended defensive actions
- Update OpenClaw to version 2026.4.29 or later.
- Restrict access to workspace .env files.
- Monitor for suspicious activity in the build environment.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide further information about this vulnerability.
Official resources
CVE-2026-53846 was disclosed by Vulncheck on 2026-06-16T19:17:01.653Z.