CVE-2026-53815: OpenClaw auth bypass exposes

CISO Take

CVE-2026-53815 is a missing authorization flaw (CWE-862) in OpenClaw's message read API that allows any authenticated low-trust caller — including a third-party skill or subagent — to read messages from channels explicitly blocked by allowlist enforcement. The CVSS 6.5 vector is network-accessible with low complexity, low privileges, and no user interaction required, meaning exploitation is trivial for any minimally authenticated principal. This is especially concerning given OpenClaw's documented malicious skills ecosystem: AIID #1368 found approximately 17% of ClawHub skills assessed as malicious in February 2026, and a poisoned low-trust skill could silently harvest credentials, system prompts, or agent outputs from privileged channels with no obvious trace. Upgrade to OpenClaw 2026.5.19 or later immediately, and audit channel access logs for anomalous cross-channel reads from lower-trust principals.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

Medium by CVSS score but operationally significant in multi-agent deployments. The auth bypass requires only a low-privilege authenticated session and no user interaction, making exploitation trivial — no AI or ML expertise is needed. The high confidentiality impact (C:H) means sensitive channel data, potentially including credentials, system prompts, or RAG-injected context, is fully accessible to unauthorized callers. While the vulnerability is not in CISA KEV and no public exploit currently exists, the combination of 155 prior CVEs in this package and a confirmed malicious third-party skills ecosystem substantially elevates real-world risk beyond the numeric CVSS score. Organizations running OpenClaw in multi-agent pipelines with third-party skills should treat this as high urgency.

How does the attack unfold?

Initial Access

Adversary obtains a low-privilege authenticated session in an OpenClaw deployment, for example via a malicious third-party ClawHub skill or a compromised low-trust service account.

AML.T0012

Exploitation

Adversary calls the OpenClaw message read API directly; the channel allowlist check is skipped due to CWE-862, granting read access to channels the caller is explicitly not permitted to access.

AML.T0049

Collection

Adversary iterates restricted channels to harvest inter-agent messages potentially containing API credentials, system prompts, RAG-injected context, or sensitive operational data.

AML.T0036

Exfiltration

Collected channel messages are transmitted to an adversary-controlled endpoint via the skill's existing network access, with no anomaly in skill activity logs since the read call is a legitimate API operation.

AML.T0086

Initial Access

Adversary obtains a low-privilege authenticated session in an OpenClaw deployment, for example via a malicious third-party ClawHub skill or a compromised low-trust service account.

AML.T0012

Exploitation

Adversary calls the OpenClaw message read API directly; the channel allowlist check is skipped due to CWE-862, granting read access to channels the caller is explicitly not permitted to access.

AML.T0049

Collection

Adversary iterates restricted channels to harvest inter-agent messages potentially containing API credentials, system prompts, RAG-injected context, or sensitive operational data.

AML.T0036

Exfiltration

Collected channel messages are transmitted to an adversary-controlled endpoint via the skill's existing network access, with no anomaly in skill activity logs since the read call is a legitimate API operation.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Patch immediately: upgrade to OpenClaw ≥ 2026.5.19 which corrects the channel allowlist bypass (GHSA-q7q8-3mgw-q67r).
If the upgrade cannot be applied immediately, restrict message read API endpoints to high-trust principals only at the network or IAM layer as a compensating control.
Audit channel access logs for reads from lower-trust callers against channels outside their normal scope.
Inventory all installed ClawHub third-party skills and disable any of unknown or untrusted origin until the patch is confirmed deployed.
Rotate any credentials, API keys, or tokens that may have transited OpenClaw channels during the exposure window.
Cross-reference the VulnCheck advisory for additional scanner signatures once available.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Framework AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0085 - Data from AI Services AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.4 - Access control for AI systems A.8.2 - AI system design and engineering — security requirements

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk GOVERN 5.2 - Organizational teams are committed to and accountable for keeping AI risk management activities current

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

How many AI incidents are linked? (2)

Meta Internal AI Agent Reportedly Gave Advice That Allegedly Exposed Sensitive Data to Unauthorized Employees

Mar 2026 Meta medium confidence

AIID #1471 involves an AI agent exposing sensitive internal data to unauthorized principals — the same confidentiality failure mode enabled by this authorization bypass, where inter-agent communications reach callers not permitted to access them.

AIID #1471

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents malicious OpenClaw skills in ClawHub exfiltrating credentials via compromised skill execution — CVE-2026-53815's authorization bypass directly enables that same attack class by allowing low-trust skills to silently read restricted channels containing credentials and sensitive agent outputs.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53815?

CVE-2026-53815 is a missing authorization flaw (CWE-862) in OpenClaw's message read API that allows any authenticated low-trust caller — including a third-party skill or subagent — to read messages from channels explicitly blocked by allowlist enforcement. The CVSS 6.5 vector is network-accessible with low complexity, low privileges, and no user interaction required, meaning exploitation is trivial for any minimally authenticated principal. This is especially concerning given OpenClaw's documented malicious skills ecosystem: AIID #1368 found approximately 17% of ClawHub skills assessed as malicious in February 2026, and a poisoned low-trust skill could silently harvest credentials, system prompts, or agent outputs from privileged channels with no obvious trace. Upgrade to OpenClaw 2026.5.19 or later immediately, and audit channel access logs for anomalous cross-channel reads from lower-trust principals.

Is CVE-2026-53815 actively exploited?

No confirmed active exploitation of CVE-2026-53815 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53815?

1. Patch immediately: upgrade to OpenClaw ≥ 2026.5.19 which corrects the channel allowlist bypass (GHSA-q7q8-3mgw-q67r). 2. If the upgrade cannot be applied immediately, restrict message read API endpoints to high-trust principals only at the network or IAM layer as a compensating control. 3. Audit channel access logs for reads from lower-trust callers against channels outside their normal scope. 4. Inventory all installed ClawHub third-party skills and disable any of unknown or untrusted origin until the patch is confirmed deployed. 5. Rotate any credentials, API keys, or tokens that may have transited OpenClaw channels during the exposure window. 6. Cross-reference the VulnCheck advisory for additional scanner signatures once available.

What systems are affected by CVE-2026-53815?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration systems, AI plugin and skill ecosystems, inter-agent communication pipelines.

What is the CVSS score for CVE-2026-53815?

CVE-2026-53815 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestration systemsAI plugin and skill ecosystemsinter-agent communication pipelines

MITRE ATLAS Techniques

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0085 Data from AI Services

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.4, A.8.2

NIST AI RMF: GOVERN 1.2, GOVERN 5.2

OWASP LLM Top 10: LLM06:2025, LLM07

What are the technical details?

Original Advisory

OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages.

Exploitation Scenario

An adversary publishes a malicious skill to ClawHub that appears legitimate but, once installed, directly calls the OpenClaw message read API against channels not covered by the skill's allowlist. Because the allowlist check is skipped in vulnerable versions, the skill successfully reads messages from internal restricted channels — for example, an ops channel where agents exchange API keys, or a compliance channel carrying sensitive audit outputs. The harvested content is transmitted to an adversary-controlled endpoint during normal skill execution. The attack generates no obvious anomaly in skill activity logs because the read API call itself is a valid operation; only cross-channel access pattern analysis would surface the bypass.