CVE-2026-53814: OpenClaw privilege escalation

CISO Take

OpenClaw before 2026.5.20 contains a privilege escalation flaw (CWE-266) where agent runs triggered via the /hooks/agent endpoint incorrectly inherit the owner's full MCP loopback authority instead of the scoped permissions appropriate for hooks. Any authenticated user holding a valid hook token — a low-privilege credential — can exploit this to spawn CLI runtimes capable of invoking owner-only MCP tools, including persistent cron state modifications. With a CVSS of 8.3, no user interaction required, and low attack complexity, this is trivially exploitable in any multi-user OpenClaw deployment; the package has 4 downstream dependents and 155 prior CVEs on record, indicating a persistent vulnerability surface. Patch to OpenClaw 2026.5.20 immediately, audit all hook token holders, and review MCP tool invocation logs for any unauthorized actions since deployment.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High. CVSS 8.3 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible exploitation requiring only low privileges — a hook token. The no-user-interaction requirement and low complexity make this actionable for any attacker with hook access. Blast radius extends to all MCP-integrated tools and cron or persistence mechanisms accessible under the owner account. Not yet in CISA KEV and EPSS data is unavailable, but the trivially low exploitation bar warrants treating this as high urgency in any environment where hook tokens are broadly distributed or exposed to CI/CD pipelines.

How does the attack unfold?

Initial Access

Attacker obtains a valid hook token via legitimate low-privilege access to the OpenClaw deployment, such as a developer account or embedded CI service credential.

AML.T0012

Exploitation

Attacker calls the /hooks/agent endpoint using the hook token, triggering an agent run that incorrectly inherits owner-scoped MCP loopback authority due to the scope assignment bug.

AML.T0049

Privilege Escalation

Spawned CLI runtime operates with owner-level MCP authority, bypassing the intended hook-scoped permission model and gaining access to restricted tool invocations.

AML.T0053

Impact

Attacker invokes owner-only MCP tools to modify persistent cron state, access privileged data sources, or establish persistence within the agentic environment under the owner's identity.

AML.T0081

Initial Access

Attacker obtains a valid hook token via legitimate low-privilege access to the OpenClaw deployment, such as a developer account or embedded CI service credential.

AML.T0012

Exploitation

Attacker calls the /hooks/agent endpoint using the hook token, triggering an agent run that incorrectly inherits owner-scoped MCP loopback authority due to the scope assignment bug.

AML.T0049

Privilege Escalation

Spawned CLI runtime operates with owner-level MCP authority, bypassing the intended hook-scoped permission model and gaining access to restricted tool invocations.

AML.T0053

Impact

Attacker invokes owner-only MCP tools to modify persistent cron state, access privileged data sources, or establish persistence within the agentic environment under the owner's identity.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

6 steps

Patch immediately to OpenClaw >= 2026.5.20 per GHSA-6fvr-66p3-3qj4.
Audit all holders of valid hook tokens and revoke any not strictly necessary.
Review MCP tool invocation logs for unexpected privileged calls originating from hook-triggered agent sessions.
Apply least-privilege to hook token distribution — treat hook tokens as sensitive credentials equivalent to service account keys.
Monitor /hooks/agent endpoint for anomalous invocation patterns or off-hours activity.
Until patched, consider disabling hook-triggered agent runs if operationally feasible, or restrict the endpoint to known-safe source IPs.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 9 - Risk management system

ISO 42001

8.4 - AI system access control A.6.2 - AI system roles and responsibilities

NIST AI RMF

GOVERN 1.2 - Accountability and authority GOVERN 1.4 - Organizational teams responsible for AI risk

OWASP LLM Top 10

LLM06 - Excessive Agency LLM08:2025 - Excessive Agency

How many AI incidents are linked? (2)

Meta Internal AI Agent Reportedly Gave Advice That Allegedly Exposed Sensitive Data to Unauthorized Employees

Mar 2026 Meta medium confidence

The incident reflects the same root failure mode — an AI agent operating with authority exceeding what the initiating context warrants — that this CVE's scope misconfiguration enables, resulting in unauthorized access to sensitive data or actions.

AIID #1471

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors medium confidence

Both involve OpenClaw trust boundary violations where components operate with unauthorized scope — the AIID incident via malicious third-party skills abusing the ecosystem, this CVE via hook-triggered privilege escalation to owner-level MCP authority. The same platform's permissive authority model is the shared root cause.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53814?

OpenClaw before 2026.5.20 contains a privilege escalation flaw (CWE-266) where agent runs triggered via the /hooks/agent endpoint incorrectly inherit the owner's full MCP loopback authority instead of the scoped permissions appropriate for hooks. Any authenticated user holding a valid hook token — a low-privilege credential — can exploit this to spawn CLI runtimes capable of invoking owner-only MCP tools, including persistent cron state modifications. With a CVSS of 8.3, no user interaction required, and low attack complexity, this is trivially exploitable in any multi-user OpenClaw deployment; the package has 4 downstream dependents and 155 prior CVEs on record, indicating a persistent vulnerability surface. Patch to OpenClaw 2026.5.20 immediately, audit all hook token holders, and review MCP tool invocation logs for any unauthorized actions since deployment.

Is CVE-2026-53814 actively exploited?

No confirmed active exploitation of CVE-2026-53814 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53814?

1. Patch immediately to OpenClaw >= 2026.5.20 per GHSA-6fvr-66p3-3qj4. 2. Audit all holders of valid hook tokens and revoke any not strictly necessary. 3. Review MCP tool invocation logs for unexpected privileged calls originating from hook-triggered agent sessions. 4. Apply least-privilege to hook token distribution — treat hook tokens as sensitive credentials equivalent to service account keys. 5. Monitor /hooks/agent endpoint for anomalous invocation patterns or off-hours activity. 6. Until patched, consider disabling hook-triggered agent runs if operationally feasible, or restrict the endpoint to known-safe source IPs.

What systems are affected by CVE-2026-53814?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, MCP-integrated agentic pipelines, Hook-driven automation workflows, Multi-user AI agent deployments.

What is the CVSS score for CVE-2026-53814?

CVE-2026-53814 has a CVSS v3.1 base score of 8.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMCP-integrated agentic pipelinesHook-driven automation workflowsMulti-user AI agent deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art. 9, Article 9

ISO 42001: 8.4, A.6.2

NIST AI RMF: GOVERN 1.2, GOVERN 1.4

OWASP LLM Top 10: LLM06, LLM08:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.

Exploitation Scenario

An attacker with legitimate but low-privilege access to an OpenClaw deployment — such as a developer or CI service holding a hook token — crafts a request to the /hooks/agent endpoint. The spawned CLI runtime, due to the incorrect scope assignment bug, receives the owner's full MCP loopback authority. The attacker then invokes owner-only MCP tools: modifying cron schedules to persist a backdoor agent, accessing restricted data sources unavailable to hook-scoped sessions, or triggering privileged agentic workflows without authorization. Because the escalated session operates under owner authority, standard audit logs may attribute the activity to the legitimate owner rather than flagging it as anomalous.