CVE-2026-53809: OpenClaw policy bypass exposes

CISO Take

OpenClaw's embedded runner incorrectly validates provider aliases instead of canonical identities when enforcing access policy (CWE-863), letting a local user with low privileges invoke AI tools that should be off-limits per runner configuration. While severity is low (CVSS 3.8), the S:C scope change in the vector means impact can propagate beyond the runner itself — in agentic pipelines, unauthorized tool access translates directly to unintended actions or data exposure across components the runner mediates. The package carries 155 prior CVEs, and AIID #1368 documents real-world credential theft via malicious skills in the same OpenClaw ecosystem, confirming attacker interest in this attack surface is active and demonstrated. Upgrade to 2026.4.25 or later; if patching is delayed, disable provider aliasing or the embedded runner feature entirely, and audit existing policies to confirm canonical names — not aliases — are used as policy subjects.

Sources: NVD GitHub Advisory ATLAS VulnCheck AIID

What is the risk?

Inherent CVSS risk is low (3.8), but the S:C scope change elevates contextual concern: the vulnerability can affect components beyond the runner itself, which in agentic deployments may include file systems, external APIs, or credential stores. Attack complexity is low and privileges required are minimal, meaning any local user can attempt exploitation without specialized knowledge or tooling. No public exploit code or KEV listing reduces near-term exploitation probability, but the low barrier combined with the 155-CVE history of this package and documented real-world abuse of the OpenClaw skills ecosystem (AIID #1368) indicates persistent attacker focus on this authorization surface.

How does the attack unfold?

Local Access

Attacker uses a valid low-privilege account to access a host running OpenClaw with the embedded runner and provider policy restrictions enabled.

AML.T0012

Alias Enumeration

Attacker identifies available provider aliases from configuration files, documentation, or runner introspection, mapping aliases to restricted canonical providers that hold access to valuable bundled tools.

AML.T0084.001

Policy Bypass

Attacker crafts a runner request referencing the restricted provider by alias; the policy engine evaluates the alias string rather than the canonical identity and incorrectly permits the request.

AML.T0107

Unauthorized Tool Invocation

Runner executes the bundled tool associated with the bypassed provider, granting the attacker capabilities — file reads, API calls, or credential access — outside their authorized policy scope.

AML.T0053

Local Access

Attacker uses a valid low-privilege account to access a host running OpenClaw with the embedded runner and provider policy restrictions enabled.

AML.T0012

Alias Enumeration

Attacker identifies available provider aliases from configuration files, documentation, or runner introspection, mapping aliases to restricted canonical providers that hold access to valuable bundled tools.

AML.T0084.001

Policy Bypass

Attacker crafts a runner request referencing the restricted provider by alias; the policy engine evaluates the alias string rather than the canonical identity and incorrectly permits the request.

AML.T0107

Unauthorized Tool Invocation

Runner executes the bundled tool associated with the bypassed provider, granting the attacker capabilities — file reads, API calls, or credential access — outside their authorized policy scope.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

3.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Changed

C None

I Low

A None

What should I do?

1 step

1) Upgrade OpenClaw to ≥2026.4.25 per vendor advisory GHSA-p39j-x9h5-q66m. 2) If patching is delayed, disable the embedded runner's provider aliasing feature or disable the embedded runner entirely until the patch is applied. 3) Audit existing runner policy configurations: replace any alias-based policy subjects with canonical provider identities and validate that no aliases map to restricted providers. 4) Add monitoring for runner requests that reference provider aliases not matching expected canonical names — anomalous alias usage warrants investigation as potential exploitation. 5) Restrict OS-level access to the runner process to the minimum set of identities that legitimately require it, reducing the pool of potential low-privilege attackers.

How is it classified?

Auth Bypass Agent Plugin AML.T0053 - AI Agent Tool Invocation AML.T0084.001 - Tool Definitions AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

GOVERN 1.2 - Policies, processes, and practices for AI risk management GOVERN 6.1 - Policies, processes, procedures, and practices

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM08:2025 - Excessive Agency

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents credential exfiltration via malicious skills in OpenClaw's ecosystem; this CVE's policy bypass in the same runner could allow skills or agents to access provider-restricted tools beyond their permitted scope, enabling the same class of unauthorized access that Bitdefender documented in the ClawHub skills abuse campaign.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53809?

OpenClaw's embedded runner incorrectly validates provider aliases instead of canonical identities when enforcing access policy (CWE-863), letting a local user with low privileges invoke AI tools that should be off-limits per runner configuration. While severity is low (CVSS 3.8), the S:C scope change in the vector means impact can propagate beyond the runner itself — in agentic pipelines, unauthorized tool access translates directly to unintended actions or data exposure across components the runner mediates. The package carries 155 prior CVEs, and AIID #1368 documents real-world credential theft via malicious skills in the same OpenClaw ecosystem, confirming attacker interest in this attack surface is active and demonstrated. Upgrade to 2026.4.25 or later; if patching is delayed, disable provider aliasing or the embedded runner feature entirely, and audit existing policies to confirm canonical names — not aliases — are used as policy subjects.

Is CVE-2026-53809 actively exploited?

No confirmed active exploitation of CVE-2026-53809 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53809?

1) Upgrade OpenClaw to ≥2026.4.25 per vendor advisory GHSA-p39j-x9h5-q66m. 2) If patching is delayed, disable the embedded runner's provider aliasing feature or disable the embedded runner entirely until the patch is applied. 3) Audit existing runner policy configurations: replace any alias-based policy subjects with canonical provider identities and validate that no aliases map to restricted providers. 4) Add monitoring for runner requests that reference provider aliases not matching expected canonical names — anomalous alias usage warrants investigation as potential exploitation. 5) Restrict OS-level access to the runner process to the minimum set of identities that legitimately require it, reducing the pool of potential low-privilege attackers.

What systems are affected by CVE-2026-53809?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent pipelines, multi-tenant AI deployments.

What is the CVSS score for CVE-2026-53809?

CVE-2026-53809 has a CVSS v3.1 base score of 3.8 (LOW).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent pipelinesmulti-tenant AI deployments

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0084.001 Tool Definitions

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9, Article 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN 1.2, GOVERN 6.1

OWASP LLM Top 10: LLM06:2025, LLM08:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled.

Exploitation Scenario

An attacker with low-privilege local access on a host running OpenClaw enumerates available provider aliases from configuration files or public documentation. They identify a restricted canonical provider — for example, one with access to a file-read or credential-fetch bundled tool — and craft a runner request referencing that provider's alias rather than its canonical name. The embedded runner's policy check evaluates the alias string against policy rules and permits access because the alias literal does not match the restricted canonical identity. The attacker then invokes the associated bundled tool, gaining access to capabilities — file contents, API tokens, or network resources — that the policy intended to block. In a shared deployment, this allows a lower-trust agent or tenant to escalate its effective tool access to match a higher-trust provider's capability set.