CVE-2026-53821: OpenClaw auth bypass grants admin RPC

CISO Take

OpenClaw's WebSocket Gateway accepts client-declared operator.admin scopes before completing server-side pairing or trusted-proxy authorization binding, meaning any low-privilege or restricted client can escalate to full admin authority on a live connection. With a CVSS of 8.8 (AV:N/AC:L/PR:L/UI:N), this is network-exploitable with minimal complexity and zero user interaction—the easiest exploitability profile short of unauthenticated access. The package carries 175 prior CVEs and has 4 downstream dependents, signaling a systemically vulnerable codebase embedded in other AI agent tooling where this flaw may be inherited. No public exploit or CISA KEV listing yet, but the trivial exploitation bar means weaponization is a matter of reading the advisory. Patch to OpenClaw 2026.5.18 immediately, restrict Gateway WebSocket ports to trusted network segments, and audit logs for operator.admin scope assertions from unpaired or restricted clients.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk. CVSS 8.8 with a network attack vector, low complexity, low privilege requirement, and no user interaction makes this straightforward to exploit by any authenticated attacker with network access to the Gateway. CWE-862 (Missing Authorization) is structural—scope claims are accepted from the client before binding to server-approved authorization—meaning no misconfiguration is required on the victim side to be exposed. The 175 prior CVEs in the same package indicate systemic security debt and a historically weak security posture. No active exploitation confirmed yet, but the low exploitation bar combined with public advisories from both GitHub and VulnCheck accelerates adversarial awareness.

How does the attack unfold?

Initial Access

Attacker connects to the OpenClaw WebSocket Gateway as a restricted or unpaired Control UI client using valid low-privilege credentials, gaining a foothold in the agent control plane.

AML.T0049

Privilege Escalation

Attacker sends a crafted WebSocket message asserting operator.admin scope before server-side pairing or trusted-proxy authorization binding completes, exploiting CWE-862 missing authorization.

AML.T0091.000

Authority Acquisition

The OpenClaw Gateway accepts the client-declared operator.admin scope from its cache, elevating the attacker's session to full admin authority on the live WebSocket connection without legitimate server-side approval.

AML.T0091.000

Impact

Attacker executes admin-gated Gateway RPCs to install malicious skills, exfiltrate agent configuration and conversation data, or reconfigure agent operator settings for persistent access.

AML.T0053

Initial Access

Attacker connects to the OpenClaw WebSocket Gateway as a restricted or unpaired Control UI client using valid low-privilege credentials, gaining a foothold in the agent control plane.

AML.T0049

Privilege Escalation

Attacker sends a crafted WebSocket message asserting operator.admin scope before server-side pairing or trusted-proxy authorization binding completes, exploiting CWE-862 missing authorization.

AML.T0091.000

Authority Acquisition

The OpenClaw Gateway accepts the client-declared operator.admin scope from its cache, elevating the attacker's session to full admin authority on the live WebSocket connection without legitimate server-side approval.

AML.T0091.000

Impact

Attacker executes admin-gated Gateway RPCs to install malicious skills, exfiltrate agent configuration and conversation data, or reconfigure agent operator settings for persistent access.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade to OpenClaw 2026.5.18 or later immediately; this is the only complete remediation.
If patching is not immediately feasible, restrict WebSocket Gateway ports to localhost or a trusted internal network segment and block all external access at the firewall.
Revoke and rotate API keys, operator credentials, and any secrets accessible via admin RPCs that may have been exposed.
Review WebSocket connection logs for entries where clients asserted operator.admin scope without completing the server-approved pairing handshake.
Audit all installed OpenClaw skills for unauthorized additions, since admin RPC access could enable malicious skill installation mirroring the AIID #1368 attack pattern.
If trusted-proxy mode is in use, verify that all registered proxy clients are operating within their approved authorization baseline and revoke any anomalous pairings.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.3 - Technical measures for AI system security in operations

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to manage treatment of identified AI risks

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53821?

OpenClaw's WebSocket Gateway accepts client-declared operator.admin scopes before completing server-side pairing or trusted-proxy authorization binding, meaning any low-privilege or restricted client can escalate to full admin authority on a live connection. With a CVSS of 8.8 (AV:N/AC:L/PR:L/UI:N), this is network-exploitable with minimal complexity and zero user interaction—the easiest exploitability profile short of unauthenticated access. The package carries 175 prior CVEs and has 4 downstream dependents, signaling a systemically vulnerable codebase embedded in other AI agent tooling where this flaw may be inherited. No public exploit or CISA KEV listing yet, but the trivial exploitation bar means weaponization is a matter of reading the advisory. Patch to OpenClaw 2026.5.18 immediately, restrict Gateway WebSocket ports to trusted network segments, and audit logs for operator.admin scope assertions from unpaired or restricted clients.

Is CVE-2026-53821 actively exploited?

No confirmed active exploitation of CVE-2026-53821 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53821?

1. Upgrade to OpenClaw 2026.5.18 or later immediately; this is the only complete remediation. 2. If patching is not immediately feasible, restrict WebSocket Gateway ports to localhost or a trusted internal network segment and block all external access at the firewall. 3. Revoke and rotate API keys, operator credentials, and any secrets accessible via admin RPCs that may have been exposed. 4. Review WebSocket connection logs for entries where clients asserted operator.admin scope without completing the server-approved pairing handshake. 5. Audit all installed OpenClaw skills for unauthorized additions, since admin RPC access could enable malicious skill installation mirroring the AIID #1368 attack pattern. 6. If trusted-proxy mode is in use, verify that all registered proxy clients are operating within their approved authorization baseline and revoke any anomalous pairings.

What systems are affected by CVE-2026-53821?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Agent orchestration platforms, WebSocket-based AI control planes, AI skill and plugin ecosystems.

What is the CVSS score for CVE-2026-53821?

CVE-2026-53821 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAgent orchestration platformsWebSocket-based AI control planesAI skill and plugin ecosystems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute admin-gated Gateway RPCs.

Exploitation Scenario

An attacker operating as a restricted trusted-proxy Control UI client establishes a WebSocket connection to the OpenClaw Gateway and sends a crafted message asserting operator.admin scope before the server completes pairing validation. The Gateway, which evaluates client-declared scopes against a cached authority store rather than binding them to a server-approved authorization baseline first, accepts the admin claim. The attacker then issues admin-gated Gateway RPCs to enumerate agent tool configurations, install a malicious skill that exfiltrates stored API keys and conversation history to an external endpoint, and reconfigures the agent's default operator to maintain persistence—all within a session that appears to hold legitimate admin credentials, producing no anomalous authentication alerts.

Weaknesses (CWE)

CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.