CVE-2026-53810: OpenClaw extension metadata bypass

CISO Take

OpenClaw before 2026.5.18 allows an attacker with trusted operator access to manipulate marketplace extension metadata, redirecting plugin loading to unscanned package payloads outside the reviewed entry points — effectively a security-scanner bypass that terminates in arbitrary code execution within the agent's runtime. While EPSS data is not yet available and CISA has not added this to KEV, the attack vector is network-accessible with low complexity (CVSS 8.8), and real-world abuse of OpenClaw's extension ecosystem is already documented in AIID incident #1368, where malicious skills delivered credential-stealing malware at scale. Patch immediately to 2026.5.18+; if patching is blocked, audit all installed marketplace extensions for unexpected metadata redirects and restrict operator-level access to the extension configuration surface.

Sources: NVD GitHub Advisory ATLAS VulnCheck Advisory

What is the risk?

High risk. The vulnerability sits at the intersection of supply chain compromise and AI agent plugin ecosystems — an increasingly targeted attack surface. CVSS 8.8 with AV:N/AC:L makes exploitation technically straightforward once operator access is obtained. The package carries 155 prior CVEs, signaling a historically weak security posture. Although there are only 4 downstream dependents tracked, OpenClaw is categorized as an ai_agent platform, meaning successful exploitation affects not just the host system but any AI-driven workflows, tool invocations, and data the agent has access to. The absence of a public exploit or Nuclei template marginally reduces immediate opportunistic risk, but the low complexity and existing ecosystem abuse history elevate the credible threat window.

How does the attack unfold?

Operator Access

Adversary obtains trusted operator access to an OpenClaw deployment via compromised credentials, insider threat, or social engineering targeting an administrator.

AML.T0012

Metadata Manipulation

Attacker modifies marketplace extension runtime metadata to redirect plugin loading from the reviewed package entry point to an attacker-controlled payload location.

AML.T0081

Scanning Bypass

OpenClaw's security scanner inspects the legitimate entry point but the loader follows the manipulated metadata path to the unscanned payload, evading all static analysis controls.

AML.T0107

Code Execution

Malicious payload executes within the OpenClaw agent runtime on user-triggered extension load, inheriting full agent permissions and enabling credential theft, data exfiltration, or persistence.

AML.T0010.005

Operator Access

Adversary obtains trusted operator access to an OpenClaw deployment via compromised credentials, insider threat, or social engineering targeting an administrator.

AML.T0012

Metadata Manipulation

Attacker modifies marketplace extension runtime metadata to redirect plugin loading from the reviewed package entry point to an attacker-controlled payload location.

AML.T0081

Scanning Bypass

OpenClaw's security scanner inspects the legitimate entry point but the loader follows the manipulated metadata path to the unscanned payload, evading all static analysis controls.

AML.T0107

Code Execution

Malicious payload executes within the OpenClaw agent runtime on user-triggered extension load, inheriting full agent permissions and enabling credential theft, data exfiltration, or persistence.

AML.T0010.005

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

7 steps

Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete remediation.
Audit extensions: Review all installed marketplace extensions; compare declared entry points in metadata against actual loaded module paths. Flag any discrepancy.
Restrict operator access: Apply least-privilege to the extension configuration surface; require MFA and approval workflows for metadata changes.
Pin extension versions: Where possible, lock extensions to specific verified versions and block runtime metadata updates without explicit review.
Sandbox agent execution: Run OpenClaw agents in isolated environments (containers, VMs) with egress filtering to limit lateral movement if code execution is achieved.
Monitor for IOCs: Watch for OpenClaw processes spawning unexpected child processes or making anomalous outbound connections — consistent with AMOS-style stealer payloads documented in AIID #1368.
Reference the vendor advisory at github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w for patch notes and any additional workarounds.

How is it classified?

Supply Chain Code Execution Agent Plugin AML.T0010.001 - AI Software AML.T0010.005 - AI Agent Tool AML.T0011.001 - Malicious Package AML.T0011.002 - Poisoned AI Agent Tool AML.T0074 - Masquerading AML.T0081 - Modify AI Agent Configuration AML.T0104 - Publish Poisoned AI Agent Tool AML.T0107 - Exploitation for Defense Evasion AML.T0110 - AI Agent Tool Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system life cycle — acquisition and supply chain Annex A, A.10 - Third-party and customer relationships involving AI systems

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management — supply chain MANAGE 2.2 - Mechanisms are in place to manage third-party AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM03:2025 - Supply Chain Vulnerabilities LLM07 - Insecure Plugin Design LLM07:2025 - Insecure Plugin Design

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents large-scale abuse of OpenClaw's marketplace skills ecosystem to deliver the AMOS credential stealer — the identical platform and trust model exploited by CVE-2026-53810. This CVE formalizes the underlying vulnerability class that enabled that incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53810?

OpenClaw before 2026.5.18 allows an attacker with trusted operator access to manipulate marketplace extension metadata, redirecting plugin loading to unscanned package payloads outside the reviewed entry points — effectively a security-scanner bypass that terminates in arbitrary code execution within the agent's runtime. While EPSS data is not yet available and CISA has not added this to KEV, the attack vector is network-accessible with low complexity (CVSS 8.8), and real-world abuse of OpenClaw's extension ecosystem is already documented in AIID incident #1368, where malicious skills delivered credential-stealing malware at scale. Patch immediately to 2026.5.18+; if patching is blocked, audit all installed marketplace extensions for unexpected metadata redirects and restrict operator-level access to the extension configuration surface.

Is CVE-2026-53810 actively exploited?

No confirmed active exploitation of CVE-2026-53810 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53810?

1. Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete remediation. 2. Audit extensions: Review all installed marketplace extensions; compare declared entry points in metadata against actual loaded module paths. Flag any discrepancy. 3. Restrict operator access: Apply least-privilege to the extension configuration surface; require MFA and approval workflows for metadata changes. 4. Pin extension versions: Where possible, lock extensions to specific verified versions and block runtime metadata updates without explicit review. 5. Sandbox agent execution: Run OpenClaw agents in isolated environments (containers, VMs) with egress filtering to limit lateral movement if code execution is achieved. 6. Monitor for IOCs: Watch for OpenClaw processes spawning unexpected child processes or making anomalous outbound connections — consistent with AMOS-style stealer payloads documented in AIID #1368. 7. Reference the vendor advisory at github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w for patch notes and any additional workarounds.

What systems are affected by CVE-2026-53810?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, marketplace and plugin ecosystems, agent-driven automation pipelines, AI tool chains with operator-managed configurations.

What is the CVSS score for CVE-2026-53810?

CVE-2026-53810 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksmarketplace and plugin ecosystemsagent-driven automation pipelinesAI tool chains with operator-managed configurations

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.005 AI Agent Tool

AML.T0011.001 Malicious Package

AML.T0011.002 Poisoned AI Agent Tool

AML.T0074 Masquerading

AML.T0081 Modify AI Agent Configuration

AML.T0104 Publish Poisoned AI Agent Tool

AML.T0107 Exploitation for Defense Evasion

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1.2, 8.4, Annex A, A.10

NIST AI RMF: GOVERN-1.7, MANAGE 2.2

OWASP LLM Top 10: LLM03, LLM03:2025, LLM07, LLM07:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, bypassing security scanning.

Exploitation Scenario

An adversary with trusted operator access to an OpenClaw deployment — obtained via compromised credentials, insider threat, or social engineering — modifies the runtime extension metadata for a legitimately-installed marketplace skill. The metadata edit redirects the plugin loader to a secondary payload location outside the package's reviewed entry point. When OpenClaw next initializes or reloads the extension (triggered by a user action satisfying the UI:R requirement), it loads the attacker-controlled code without triggering marketplace security scans. The injected code executes within the agent's runtime with full inherited permissions — enabling credential harvesting, data exfiltration, or deployment of persistent malware. This mirrors the documented AIID #1368 AMOS stealer campaign, where malicious OpenClaw skills exfiltrated credentials by abusing the same extension trust model.