CVE-2026-53807: OpenClaw auth bypass

CISO Take

OpenClaw before version 2026.5.6 has an authorization bypass in its Telegram interactive callback handler — any authenticated Telegram user can self-authorize before `commands.allowFrom` is evaluated, granting access to commands that should be restricted to trusted operators only. With a CVSS of 8.8 (High), network-accessible, requiring only low privileges and no user interaction, this is low-friction to exploit and requires no AI/ML expertise. The package carries 155 prior CVEs — a clear signal of chronic security debt — and while it is not yet in the CISA KEV and no public exploit has been confirmed, the AI agent nature of OpenClaw amplifies blast radius: a successful bypass can cascade into tool invocations, credential access, or data exfiltration depending on what the agent is wired to. Organizations running OpenClaw with Telegram bot integration should upgrade to 2026.5.6 immediately; as an interim workaround, restrict the bot to private groups or disable interactive callbacks until patched.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

HIGH risk. The vulnerability is trivially exploitable — low attack complexity, low privileges, no user interaction required, full C/I/A impact. The AI agent nature of OpenClaw amplifies blast radius significantly beyond a typical authorization bypass: if the agent has access to external tools, APIs, file systems, or internal data stores (common in agentic deployments), an attacker gaining unauthorized command execution can cascade into broader system compromise. The 155 prior CVEs in this package indicate a pattern of inadequate security hygiene that warrants heightened scrutiny of the entire codebase, not just this specific issue. The 4 downstream dependents limit ecosystem-wide exposure but do not reduce risk for affected deployments.

How does the attack unfold?

Initial Access

Attacker obtains access to a Telegram bot or group powered by a vulnerable OpenClaw instance, using a legitimate but non-privileged Telegram account.

AML.T0049

Authorization Bypass

Attacker sends a Telegram interactive callback (e.g., inline keyboard button press), triggering the self-authorization logic that marks the sender as permitted before `commands.allowFrom` validation executes.

AML.T0107

Unauthorized Command Execution

Attacker invokes restricted agent commands — triggering tool calls, API requests, data lookups, or workflow executions — as if they were a legitimate authorized operator.

AML.T0053

Impact

Full confidentiality, integrity, and availability compromise of the agent's operational scope, potentially including credential access, data exfiltration, or persistent control over downstream systems the agent is wired to.

AML.T0048

Initial Access

Attacker obtains access to a Telegram bot or group powered by a vulnerable OpenClaw instance, using a legitimate but non-privileged Telegram account.

AML.T0049

Authorization Bypass

Attacker sends a Telegram interactive callback (e.g., inline keyboard button press), triggering the self-authorization logic that marks the sender as permitted before `commands.allowFrom` validation executes.

AML.T0107

Unauthorized Command Execution

Attacker invokes restricted agent commands — triggering tool calls, API requests, data lookups, or workflow executions — as if they were a legitimate authorized operator.

AML.T0053

Impact

Full confidentiality, integrity, and availability compromise of the agent's operational scope, potentially including credential access, data exfiltration, or persistent control over downstream systems the agent is wired to.

AML.T0048

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

4 steps

Patch immediately: Upgrade OpenClaw to version 2026.5.6 or later — the vendor advisory at GHSA-w5ww-7chg-mxcq contains the fix details.
Workaround (if patching is not immediately feasible): Restrict the Telegram bot to private, invite-only groups where the entire user population is fully controlled; remove any public or semi-public bot access. Alternatively, disable interactive callback handlers in the OpenClaw configuration until the patch is applied.
Detection: Audit Telegram bot logs for callback invocations from Telegram user IDs not present in the configured commands.allowFrom allowlist — any such invocation prior to patching may indicate active exploitation. Correlate unexpected command executions with callback events from non-allowlisted chat IDs.
Scope review: Inventory every command and tool capability exposed via the Telegram interface and apply least-privilege principles to the agent's tool access surface regardless of patch status.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness, and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious OpenClaw skills where attackers gained unauthorized agent command access — this authorization bypass in the same package represents the same failure mode class (unauthenticated/unauthorized actor gaining control of OpenClaw agent execution), and could serve as an entry point enabling similar credential theft scenarios.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53807?

OpenClaw before version 2026.5.6 has an authorization bypass in its Telegram interactive callback handler — any authenticated Telegram user can self-authorize before `commands.allowFrom` is evaluated, granting access to commands that should be restricted to trusted operators only. With a CVSS of 8.8 (High), network-accessible, requiring only low privileges and no user interaction, this is low-friction to exploit and requires no AI/ML expertise. The package carries 155 prior CVEs — a clear signal of chronic security debt — and while it is not yet in the CISA KEV and no public exploit has been confirmed, the AI agent nature of OpenClaw amplifies blast radius: a successful bypass can cascade into tool invocations, credential access, or data exfiltration depending on what the agent is wired to. Organizations running OpenClaw with Telegram bot integration should upgrade to 2026.5.6 immediately; as an interim workaround, restrict the bot to private groups or disable interactive callbacks until patched.

Is CVE-2026-53807 actively exploited?

No confirmed active exploitation of CVE-2026-53807 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53807?

1. Patch immediately: Upgrade OpenClaw to version 2026.5.6 or later — the vendor advisory at GHSA-w5ww-7chg-mxcq contains the fix details. 2. Workaround (if patching is not immediately feasible): Restrict the Telegram bot to private, invite-only groups where the entire user population is fully controlled; remove any public or semi-public bot access. Alternatively, disable interactive callback handlers in the OpenClaw configuration until the patch is applied. 3. Detection: Audit Telegram bot logs for callback invocations from Telegram user IDs not present in the configured `commands.allowFrom` allowlist — any such invocation prior to patching may indicate active exploitation. Correlate unexpected command executions with callback events from non-allowlisted chat IDs. 4. Scope review: Inventory every command and tool capability exposed via the Telegram interface and apply least-privilege principles to the agent's tool access surface regardless of patch status.

What systems are affected by CVE-2026-53807?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, Telegram bot command interfaces, agentic pipelines with external tool access, operator-controlled AI agent deployments.

What is the CVSS score for CVE-2026-53807?

CVE-2026-53807 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksTelegram bot command interfacesagentic pipelines with external tool accessoperator-controlled AI agent deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.

Exploitation Scenario

An attacker discovers or is added to a Telegram bot or group powered by a vulnerable OpenClaw instance. They press an inline keyboard button or otherwise trigger a Telegram interactive callback. The vulnerable callback handler executes self-authorization logic that marks the sender as permitted before evaluating the `commands.allowFrom` allowlist — meaning the attacker's Telegram ID passes the check it should fail. The attacker then issues restricted commands: in a typical AI agent deployment this could mean triggering data lookups against internal repositories, invoking API integrations, dumping conversation history, or executing agent workflows. In a worst-case agentic scenario with tool access, this becomes an unauthorized remote operator with full control over the agent's action surface — functionally equivalent to administrative access over every downstream system the agent can reach.