CVE-2026-53808: OpenClaw approval bypass enables

CISO Take

OpenClaw before 2026.5.6 contains an authorization flaw (CWE-863) in its Skill Workshop apply flow that allows agent tool calls to set apply: true and push configuration changes even when approvalPolicy is configured as pending, effectively nullifying the human approval gate that AI governance frameworks require. This is operationally dangerous in agentic environments because the approval workflow is typically the primary control preventing unauthorized behavior modifications — an attacker who can reach the apply endpoint or influence an agent tool call (including via prompt injection) can silently alter agent skills and configurations with no approval notification generated. The OpenClaw skills ecosystem has already been actively exploited in the wild per AIID #1368, where roughly 17% of third-party skills were assessed as malicious and used to deliver the AMOS stealer and exfiltrate credentials via ClawHub, confirming that threat actors are actively targeting this attack surface. Upgrade to OpenClaw 2026.5.6 or later immediately; audit Skill Workshop apply logs for unauthorized operations prior to patching and review recently applied skills against your approved skill inventory.

Sources: NVD GitHub Advisory ATLAS AIID

What is the risk?

CVSS 6.5 (Medium) understates the operational risk in agentic deployments. No privileges required, low attack complexity, and network accessibility make this trivially exploitable for any actor who can reach the apply endpoint or influence an agent tool invocation. The real blast radius is the integrity of all agent configurations under OpenClaw management — a single bypass can cascade into persistent behavioral changes across an entire agent fleet with no audit trail. The package carries 155 prior CVEs, signaling chronic security debt. With active exploitation of the OpenClaw skills ecosystem already documented (AIID #1368), this authorization gap in the apply path is a high-probability target for threat actors already familiar with the platform.

How does the attack unfold?

Initial Access

Attacker reaches the OpenClaw Skill Workshop apply endpoint over the network — no credentials required due to the CWE-863 authorization flaw in the apply path.

AML.T0049

Policy Bypass

Attacker sends an apply request (directly or via an influenced agent tool call) with apply: true set, causing the server to skip the approvalPolicy: pending enforcement check.

AML.T0053

Persistence

Malicious skill or modified agent configuration is silently applied without generating an approval notification, establishing a durable foothold in the agent execution environment.

AML.T0081

Impact

Applied malicious skill executes within trusted agent context, enabling credential exfiltration, data theft, or further agent behavior manipulation consistent with the AIID #1368 OpenClaw exploitation pattern.

AML.T0086

Initial Access

Attacker reaches the OpenClaw Skill Workshop apply endpoint over the network — no credentials required due to the CWE-863 authorization flaw in the apply path.

AML.T0049

Policy Bypass

Attacker sends an apply request (directly or via an influenced agent tool call) with apply: true set, causing the server to skip the approvalPolicy: pending enforcement check.

AML.T0053

Persistence

Malicious skill or modified agent configuration is silently applied without generating an approval notification, establishing a durable foothold in the agent execution environment.

AML.T0081

Impact

Applied malicious skill executes within trusted agent context, enabling credential exfiltration, data theft, or further agent behavior manipulation consistent with the AIID #1368 OpenClaw exploitation pattern.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I High

A None

What should I do?

6 steps

Patch immediately to OpenClaw ≥2026.5.6 per the vendor advisory (GHSA-cqwv-9qjx-vxw2).
Audit Skill Workshop event logs for any apply operations executed with apply: true while approvalPolicy was pending — focus on the 30 days prior to patching.
Cross-reference all recently applied skills against your approved skill inventory and revoke any unauthorized entries.
If patching is delayed, restrict network access to the Skill Workshop apply endpoint via WAF or firewall rules as an interim control.
Implement alerting on configuration change events in OpenClaw that do not have a corresponding approval record upstream.
Review agent tool definitions for post-exploitation signs: unexpected tool additions, changed activation triggers, or modified call chains.

How is it classified?

Auth Bypass Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 14 - Human oversight

ISO 42001

A.6.2 - AI system operational and change controls

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

How many AI incidents are linked? (2)

Meta Internal AI Agent Reportedly Gave Advice That Allegedly Exposed Sensitive Data to Unauthorized Employees

Mar 2026 Meta medium confidence

AIID #1471 involves an AI agent taking consequential actions without proper approval, leading to unauthorized data exposure. This CVE's bypass of approval policies in an agentic framework represents the same foundational failure mode: AI agent actions circumventing the human oversight controls meant to prevent unauthorized behavior.

AIID #1471

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents active exploitation of OpenClaw's skills ecosystem to deliver malicious skills including AMOS stealer and credential exfiltration via ClawHub. This CVE's approval bypass directly enables the same attack vector — introducing unauthorized skills without triggering detection — making it a technical enabler for the documented incident class on the same platform.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53808?

OpenClaw before 2026.5.6 contains an authorization flaw (CWE-863) in its Skill Workshop apply flow that allows agent tool calls to set apply: true and push configuration changes even when approvalPolicy is configured as pending, effectively nullifying the human approval gate that AI governance frameworks require. This is operationally dangerous in agentic environments because the approval workflow is typically the primary control preventing unauthorized behavior modifications — an attacker who can reach the apply endpoint or influence an agent tool call (including via prompt injection) can silently alter agent skills and configurations with no approval notification generated. The OpenClaw skills ecosystem has already been actively exploited in the wild per AIID #1368, where roughly 17% of third-party skills were assessed as malicious and used to deliver the AMOS stealer and exfiltrate credentials via ClawHub, confirming that threat actors are actively targeting this attack surface. Upgrade to OpenClaw 2026.5.6 or later immediately; audit Skill Workshop apply logs for unauthorized operations prior to patching and review recently applied skills against your approved skill inventory.

Is CVE-2026-53808 actively exploited?

No confirmed active exploitation of CVE-2026-53808 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53808?

1. Patch immediately to OpenClaw ≥2026.5.6 per the vendor advisory (GHSA-cqwv-9qjx-vxw2). 2. Audit Skill Workshop event logs for any apply operations executed with apply: true while approvalPolicy was pending — focus on the 30 days prior to patching. 3. Cross-reference all recently applied skills against your approved skill inventory and revoke any unauthorized entries. 4. If patching is delayed, restrict network access to the Skill Workshop apply endpoint via WAF or firewall rules as an interim control. 5. Implement alerting on configuration change events in OpenClaw that do not have a corresponding approval record upstream. 6. Review agent tool definitions for post-exploitation signs: unexpected tool additions, changed activation triggers, or modified call chains.

What systems are affected by CVE-2026-53808?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent orchestration, approval workflow systems, multi-agent pipelines.

What is the CVSS score for CVE-2026-53808?

CVE-2026-53808 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent orchestrationapproval workflow systemsmulti-agent pipelines

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 14

ISO 42001: A.6.2

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before the expected approval step, potentially modifying configurations without proper authorization.

Exploitation Scenario

An attacker identifies an OpenClaw deployment with Skill Workshop enabled — the apply endpoint is network-accessible with no credentials required. They either craft a direct HTTP request to the apply path with apply: true in the payload, or they leverage prompt injection against an OpenClaw-powered agent to cause it to invoke the Skill Workshop apply tool with attacker-controlled parameters. The pending approval check fails to enforce the policy due to CWE-863, and the attacker's malicious skill — potentially containing exfiltration logic targeting stored credentials or API tokens, mirroring the AMOS stealer variant seen in AIID #1368 — is silently applied to the target agent environment. The change persists with no approval notification dispatched, giving the attacker a durable foothold that survives agent restarts and continues to operate within trusted execution context.