CVE-2026-53820: OpenClaw exec denylist bypass

CISO Take

OpenClaw before 2026.5.12 allows any authenticated local caller to bypass its command execution denylist by routing requests through the bundled MCP loopback session-spawn path, spawning a session with broader exec scope than intended (CWE-862: Missing Authorization). The attack requires only low privileges and no user interaction, making it a realistic insider threat or post-compromise escalation vector in AI agent deployments — even though the local attack vector keeps blast radius contained to hosts already running the agent. With 175 prior CVEs in this package, this is not an isolated lapse but a pattern of systemic security debt that should trigger a dependency review regardless of immediate patch status. Upgrade to 2026.5.12 immediately; if patching is blocked, restrict access to the MCP loopback session-spawn path at the host or container boundary and audit agent process logs for unexpected exec scope escalations.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk overall, elevated for AI agent pipeline environments. The CVSS 6.6 score accurately captures the local-only constraint, but 'low privilege, low complexity, no user interaction' means that any authenticated user or compromised LLM-driven process can trigger this reliably. In multi-tenant AI engineering environments or automated agentic pipelines where OpenClaw acts as an execution engine, this bar is trivially cleared. The integrity HIGH component is the operative concern — not data theft, but unauthorized system modification or persistent configuration changes. The 175 CVEs on this package is an unusually high count and signals that OpenClaw has structural security debt that multiplies risk beyond this single finding.

How does the attack unfold?

Initial Access

Attacker obtains a low-privilege authenticated session on a host running OpenClaw via a compromised user account, a malicious third-party skill, or prior code execution on the machine.

AML.T0012

Denylist Bypass

Attacker crafts a session-spawn request to the bundled MCP loopback path, exploiting the missing authorization check (CWE-862) to bypass the exec denylist and obtain a session with broader command scope.

AML.T0107

Elevated Tool Invocation

The attacker's upgraded session executes previously-restricted commands — invoking system binaries, reading agent configuration, or accessing cached credentials — outside the intended permission boundary.

AML.T0053

Impact

Attacker achieves high-integrity impact: modifying system or agent configuration, exfiltrating API keys or credentials from the host, or establishing persistent elevated access for future sessions.

AML.T0112.000

Initial Access

Attacker obtains a low-privilege authenticated session on a host running OpenClaw via a compromised user account, a malicious third-party skill, or prior code execution on the machine.

AML.T0012

Denylist Bypass

Attacker crafts a session-spawn request to the bundled MCP loopback path, exploiting the missing authorization check (CWE-862) to bypass the exec denylist and obtain a session with broader command scope.

AML.T0107

Elevated Tool Invocation

The attacker's upgraded session executes previously-restricted commands — invoking system binaries, reading agent configuration, or accessing cached credentials — outside the intended permission boundary.

AML.T0053

Impact

Attacker achieves high-integrity impact: modifying system or agent configuration, exfiltrating API keys or credentials from the host, or establishing persistent elevated access for future sessions.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I High

A Low

What should I do?

5 steps

Patch: Upgrade OpenClaw to 2026.5.12 or later; fix confirmed in vendor advisory GHSA-qh2f-99mv-mrcf.
Workaround: If patching is not immediately feasible, restrict process and network access to the MCP loopback session-spawn endpoint at the host firewall or container security policy level; deny calls to the loopback MCP path from all callers except explicitly required service accounts.
Detection: Review process execution logs for OpenClaw agent processes spawning commands outside the expected whitelist; alert on MCP session-spawn calls that result in exec invocations flagged by the denylist under normal operation.
Dependency audit: Given 175 CVEs in openclaw (pip), assess whether this package is justified in production; evaluate replacement with a more actively maintained agent framework.
Least privilege: Enforce OS-level process restrictions on all OpenClaw instances — drop unnecessary capabilities, apply seccomp/AppArmor profiles, and run under dedicated service accounts with minimal filesystem permissions.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53820?

OpenClaw before 2026.5.12 allows any authenticated local caller to bypass its command execution denylist by routing requests through the bundled MCP loopback session-spawn path, spawning a session with broader exec scope than intended (CWE-862: Missing Authorization). The attack requires only low privileges and no user interaction, making it a realistic insider threat or post-compromise escalation vector in AI agent deployments — even though the local attack vector keeps blast radius contained to hosts already running the agent. With 175 prior CVEs in this package, this is not an isolated lapse but a pattern of systemic security debt that should trigger a dependency review regardless of immediate patch status. Upgrade to 2026.5.12 immediately; if patching is blocked, restrict access to the MCP loopback session-spawn path at the host or container boundary and audit agent process logs for unexpected exec scope escalations.

Is CVE-2026-53820 actively exploited?

No confirmed active exploitation of CVE-2026-53820 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53820?

1. Patch: Upgrade OpenClaw to 2026.5.12 or later; fix confirmed in vendor advisory GHSA-qh2f-99mv-mrcf. 2. Workaround: If patching is not immediately feasible, restrict process and network access to the MCP loopback session-spawn endpoint at the host firewall or container security policy level; deny calls to the loopback MCP path from all callers except explicitly required service accounts. 3. Detection: Review process execution logs for OpenClaw agent processes spawning commands outside the expected whitelist; alert on MCP session-spawn calls that result in exec invocations flagged by the denylist under normal operation. 4. Dependency audit: Given 175 CVEs in openclaw (pip), assess whether this package is justified in production; evaluate replacement with a more actively maintained agent framework. 5. Least privilege: Enforce OS-level process restrictions on all OpenClaw instances — drop unnecessary capabilities, apply seccomp/AppArmor profiles, and run under dedicated service accounts with minimal filesystem permissions.

What systems are affected by CVE-2026-53820?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Agentic pipelines, Multi-agent orchestration systems, MCP-based tool execution environments, Local AI agent deployments.

What is the CVSS score for CVE-2026-53820?

CVE-2026-53820 has a CVSS v3.1 base score of 6.6 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAgentic pipelinesMulti-agent orchestration systemsMCP-based tool execution environmentsLocal AI agent deployments

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended.

Exploitation Scenario

An attacker with a low-privilege authenticated account on a host running OpenClaw — a compromised developer in an AI engineering environment, a malicious skill loaded via ClawHub, or an LLM agent that achieved prior code execution — identifies the MCP loopback session-spawn endpoint. By crafting a session-spawn request through this path rather than the standard exec API, the attacker bypasses the denylist check (CWE-862: the authorization step is simply not applied on this code path). The resulting session returns with a broader command scope, allowing execution of previously-blocked operations: invoking system binaries, reading or writing configuration files, or accessing credentials cached by the agent runtime. In a fully automated agentic pipeline, a compromised LLM could autonomously trigger this path to escalate its own tool access without human awareness, then use the expanded access to exfiltrate API keys or modify downstream agent behavior.

Weaknesses (CWE)

CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.