{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/homebrew/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53819"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (\u003c 2026.5.27)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","homebrew","supply-chain","macos","linux"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eThe OpenClaw platform is affected by CVE-2026-53819, a high-severity vulnerability enabling a malicious \u003ccode\u003e.env\u003c/code\u003e file in a repository to manipulate the Homebrew executable selection during skill installation flows. Published by GHSA on July 2, 2026, this flaw permits the OpenClaw install helper to use an attacker-controlled Homebrew-compatible binary instead of the legitimate one. This occurs when a trusted operator opens an affected workspace and initiates a skill installation. The vulnerability, present in OpenClaw versions prior to 2026.5.27, affects macOS and Linux systems and poses a significant risk for arbitrary code execution, bypassing established security controls and potentially compromising the operator's environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious repository that includes a \u003ccode\u003e.env\u003c/code\u003e file designed to alter environment variables that influence Homebrew's path resolution.\u003c/li\u003e\n\u003cli\u003eThe attacker socially engineers a trusted OpenClaw operator to clone and open this malicious repository within their development workspace.\u003c/li\u003e\n\u003cli\u003eThe trusted operator initiates a skill install flow within the newly opened, compromised workspace.\u003c/li\u003e\n\u003cli\u003eDuring the install process, the OpenClaw install helper parses the malicious \u003ccode\u003e.env\u003c/code\u003e file, causing it to load an incorrect or attacker-controlled path for the Homebrew executable.\u003c/li\u003e\n\u003cli\u003eInstead of executing the legitimate Homebrew binary, the system invokes an attacker-controlled Homebrew-compatible executable, which was likely bundled within the malicious repository.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled executable runs with the operator's privileges, achieving arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003eThis execution could lead to system compromise, data exfiltration, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53819 could allow an attacker to run arbitrary code on a trusted operator's system, leading to full system compromise. The practical impact depends on the specific configuration of the operator's environment and the attacker's payload. If lower-trust input can reach the affected path, it increases the likelihood and severity of compromise. This vulnerability could be leveraged for initial access, privilege escalation, or establishing persistence within targeted development environments, potentially affecting intellectual property or critical infrastructure if operators with elevated access are targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch OpenClaw to version \u003ccode\u003e2026.5.27\u003c/code\u003e or newer to remediate CVE-2026-53819.\u003c/li\u003e\n\u003cli\u003eAvoid running skill install flows from untrusted workspaces until all OpenClaw instances are updated to the patched version \u003ccode\u003e2026.5.27\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs a general hardening measure, keep channel and tool allowlists narrow, as noted in the GHSA reference.\u003c/li\u003e\n\u003cli\u003eDisable the affected feature when it is not needed to reduce the attack surface for CVE-2026-53819.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:01:45Z","date_published":"2026-07-03T12:01:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-homebrew-override/","summary":"A high-severity vulnerability (CVE-2026-53819) in OpenClaw versions prior to 2026.5.27 allows a malicious `.env` file within a repository to override the Homebrew executable selection during skill installation flows, potentially leading to arbitrary code execution on trusted operator systems running macOS or Linux.","title":"OpenClaw Workspace .env Homebrew Executable Override Vulnerability (CVE-2026-53819)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-homebrew-override/"}],"language":"en","title":"CraftedSignal Threat Feed - Homebrew","version":"https://jsonfeed.org/version/1.1"}