CVE-2026-53858 OpenClaw < 2026.5.2 - Arbitrary Runtime Dependency Loading via STATE_DIRECTORY Environment Variable
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATEDIRECTORY variable to load runtime dependencies from unintended local paths, potentially...