CVE-2026-53817: OpenClaw locality spoof yields

CISO Take

OpenClaw before version 2026.5.22 contains a critical authentication flaw in its Control UI pairing mechanism: an attacker with low-privilege network access can spoof locality data to obtain admin-capable device tokens that persist even through token rotation cycles. With CVSS 8.8, no user interaction required, and low attack complexity, this is trivially exploitable by any adversary already on the network or holding minimal credentials. The token persistence issue is the most damaging aspect for incident response — standard credential rotation will not evict the attacker, requiring a full audit and revocation of all issued device tokens. Organizations running OpenClaw-based AI agent deployments should upgrade to 2026.5.22 immediately and treat any previously issued device tokens as potentially compromised.

Sources: NVD GitHub Advisory vulncheck.com ATLAS

What is the risk?

High risk. The combination of network-accessible attack surface (AV:N), low complexity (AC:L), low required privileges (PR:L), and no user interaction (UI:N) places this in the most operationally dangerous exploitability tier for AI agent infrastructure. The durable token behavior amplifies risk beyond initial compromise: standard incident response procedures like token rotation are ineffective, requiring full token inventory audits and revocation. With 155 associated CVEs across the same package, this suggests systemic security debt that increases confidence that similar authentication logic flaws exist elsewhere in the codebase. Four downstream dependents may inherit the exposure.

How does the attack unfold?

Initial Access

Attacker with low-privilege network credentials targets the OpenClaw Control UI pairing endpoint, submitting a pairing request with crafted locality data claiming trusted local device status.

AML.T0049

Credential Exploitation

Insufficient locality validation accepts the spoofed claim; OpenClaw issues a durable admin-capable device token without verifying true physical or logical locality.

AML.T0106

Persistence

The admin device token survives token rotation cycles, ensuring attacker access persists through standard incident response actions that would otherwise evict the adversary.

AML.T0091.000

Impact

Adversary uses persistent admin token to modify agent configuration, invoke agent tools against connected internal systems, and pivot laterally across any resources the agent is authorized to access.

AML.T0081

Initial Access

Attacker with low-privilege network credentials targets the OpenClaw Control UI pairing endpoint, submitting a pairing request with crafted locality data claiming trusted local device status.

AML.T0049

Credential Exploitation

Insufficient locality validation accepts the spoofed claim; OpenClaw issues a durable admin-capable device token without verifying true physical or logical locality.

AML.T0106

Persistence

The admin device token survives token rotation cycles, ensuring attacker access persists through standard incident response actions that would otherwise evict the adversary.

AML.T0091.000

Impact

Adversary uses persistent admin token to modify agent configuration, invoke agent tools against connected internal systems, and pivot laterally across any resources the agent is authorized to access.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch immediately: upgrade OpenClaw to 2026.5.22 or later per advisory GHSA-chr9-m4q2-76hw.
Revoke all device tokens: treat all tokens issued by the Control UI pairing system prior to patching as potentially compromised — full revocation and re-issuance is required, not rotation.
Network segmentation: restrict Control UI pairing endpoints to trusted network segments; deny access from untrusted or external networks via firewall rules.
Detection: audit logs for pairing requests with unexpected or mismatched locality values; alert on device tokens that survive multiple rotation cycles without re-authentication events.
Downstream dependencies: verify that any third-party packages depending on OpenClaw are also patched or isolated behind compensating controls.

How is it classified?

Auth Bypass Code Execution Agent AML.T0012 - Valid Accounts AML.T0081 - Modify AI Agent Configuration AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access AML.T0108 - AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI system access control A.6.2.3 - Access control for AI systems

NIST AI RMF

GOVERN 1.1 - Organizational risk policies and processes PROTECT-1.2 - Mechanisms to achieve goals of the AI risk management plan are implemented

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM08 - Excessive Agency

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors medium confidence

Both involve the OpenClaw ecosystem being exploited for unauthorized access and credential exfiltration. The locality spoofing vulnerability enabling persistent admin tokens could facilitate the same class of covert, credential-harvesting access seen in the AMOS stealer incident, where attackers leveraged OpenClaw's trust model to exfiltrate credentials from connected systems.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53817?

OpenClaw before version 2026.5.22 contains a critical authentication flaw in its Control UI pairing mechanism: an attacker with low-privilege network access can spoof locality data to obtain admin-capable device tokens that persist even through token rotation cycles. With CVSS 8.8, no user interaction required, and low attack complexity, this is trivially exploitable by any adversary already on the network or holding minimal credentials. The token persistence issue is the most damaging aspect for incident response — standard credential rotation will not evict the attacker, requiring a full audit and revocation of all issued device tokens. Organizations running OpenClaw-based AI agent deployments should upgrade to 2026.5.22 immediately and treat any previously issued device tokens as potentially compromised.

Is CVE-2026-53817 actively exploited?

No confirmed active exploitation of CVE-2026-53817 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53817?

1. Patch immediately: upgrade OpenClaw to 2026.5.22 or later per advisory GHSA-chr9-m4q2-76hw. 2. Revoke all device tokens: treat all tokens issued by the Control UI pairing system prior to patching as potentially compromised — full revocation and re-issuance is required, not rotation. 3. Network segmentation: restrict Control UI pairing endpoints to trusted network segments; deny access from untrusted or external networks via firewall rules. 4. Detection: audit logs for pairing requests with unexpected or mismatched locality values; alert on device tokens that survive multiple rotation cycles without re-authentication events. 5. Downstream dependencies: verify that any third-party packages depending on OpenClaw are also patched or isolated behind compensating controls.

What systems are affected by CVE-2026-53817?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic AI deployments, AI control plane infrastructure, multi-agent orchestration systems.

What is the CVSS score for CVE-2026-53817?

CVE-2026-53817 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic AI deploymentsAI control plane infrastructuremulti-agent orchestration systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0081 Modify AI Agent Configuration

AML.T0091.000 Application Access Token

AML.T0106 Exploitation for Credential Access

AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, A.6.2.3

NIST AI RMF: GOVERN 1.1, PROTECT-1.2

OWASP LLM Top 10: LLM06:2025, LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.

Exploitation Scenario

An adversary with low-privilege credentials — obtained via a compromised service account, phished employee, or prior lateral movement — targets an OpenClaw instance accessible over the network. They initiate a Control UI pairing request, injecting spoofed locality data claiming to represent a trusted local device. Because OpenClaw's locality-derived trust validation is insufficient, the server accepts the claim and issues a durable admin-capable device token. When defenders detect suspicious activity and perform a credential rotation, the attacker's device-scoped token survives the rotation intact. The adversary now holds persistent admin access to the AI agent, enabling them to modify agent configuration, invoke privileged tool calls against connected internal systems, and maintain a covert foothold that resists standard incident response.