CVE-2026-53842

Summary

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.5.2affected
OpenClawOpenClaw2026.5.2unaffected

Weaknesses

  • CWE-426: Untrusted Search Path

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References