CVE-2026-53822: OpenClaw TOCTOU command injection

CISO Take

OpenClaw contains a time-of-check-time-of-use (TOCTOU) race condition (CWE-367) in its shell wrapper that lets authenticated network attackers swap command arguments after allowlist approval but before execution, completely invalidating the platform's primary command security control. With a CVSS of 8.8 and full confidentiality, integrity, and availability impact — and no user interaction required — any AI agent deployment running a pre-2026.5.18 version is exposed to arbitrary code execution on the agent host, where elevated tool permissions typically translate directly to lateral movement and data exfiltration. No public exploit or CISA KEV entry exists yet, but TOCTOU exploitation is well-understood and the low-privilege requirement substantially lowers the bar; the 175 prior CVEs logged against this package signal a pattern of persistent security debt that warrants treating this urgently. Patch to OpenClaw 2026.5.18 immediately; if patching is delayed, restrict network access to agent execution endpoints, disable shell wrapper invocation where feasible, and audit process spawn logs for argv anomalies.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

HIGH. The CVSS 8.8 score reflects a network-accessible, low-complexity attack requiring only low privileges and no user interaction — a combination that places this firmly in opportunistic exploitation territory once a proof-of-concept circulates. The AI agent context amplifies risk substantially: OpenClaw agents commonly hold elevated permissions to interact with filesystems, external APIs, and infrastructure services, meaning post-exploitation blast radius extends well beyond the initial process boundary. Critically, the allowlist bypass nature of this flaw undermines a control that security teams likely treated as a hard boundary, creating a false assurance problem. The 175 prior CVEs in the same package suggest systemic security debt rather than an isolated defect.

How does the attack unfold?

Initial Access

Attacker authenticates to the OpenClaw agent platform using low-privilege credentials obtained via phishing, credential stuffing, or an existing insider position.

AML.T0012

Exploitation

Attacker submits a benign command that clears allowlist validation, then exploits the TOCTOU race window between approval and exec to swap argv contents, injecting a malicious command in place of the approved one.

AML.T0050

Defense Evasion

The allowlist security control is bypassed because validation already completed for the benign command; the substituted malicious command executes without triggering any rejection or alerting.

AML.T0107

Impact

Attacker achieves arbitrary code execution on the agent host with the agent's elevated permissions, enabling exfiltration of API keys, model weights, and training data, or persistent backdoor installation for continued access.

AML.T0053

Initial Access

Attacker authenticates to the OpenClaw agent platform using low-privilege credentials obtained via phishing, credential stuffing, or an existing insider position.

AML.T0012

Exploitation

Attacker submits a benign command that clears allowlist validation, then exploits the TOCTOU race window between approval and exec to swap argv contents, injecting a malicious command in place of the approved one.

AML.T0050

Defense Evasion

The allowlist security control is bypassed because validation already completed for the benign command; the substituted malicious command executes without triggering any rejection or alerting.

AML.T0107

Impact

Attacker achieves arbitrary code execution on the agent host with the agent's elevated permissions, enabling exfiltration of API keys, model weights, and training data, or persistent backdoor installation for continued access.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade to OpenClaw 2026.5.18 or later immediately — this is the only complete fix.
WORKAROUND (if patching is delayed): Restrict submission of commands to OpenClaw agents to the minimum necessary principals; disable shell wrapper execution capabilities where not strictly required.
DETECTION

Monitor for unexpected child process spawns from OpenClaw agent processes that don't match known-good allowlisted command patterns; enable auditd or equivalent to capture argv at exec time for post-hoc review.
NETWORK

Limit network exposure of OpenClaw agent endpoints to trusted internal segments — the AV:N attack vector means internet-exposed instances are especially at risk.
AUDIT

Review all OpenClaw-integrated workflows and assume allowlist controls may have been bypassable since before 2026.5.18 — treat any command audit logs from that window as potentially unreliable.

How is it classified?

Code Execution Auth Bypass Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system operation — security of AI processes

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of risk responses are planned

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53822?

OpenClaw contains a time-of-check-time-of-use (TOCTOU) race condition (CWE-367) in its shell wrapper that lets authenticated network attackers swap command arguments after allowlist approval but before execution, completely invalidating the platform's primary command security control. With a CVSS of 8.8 and full confidentiality, integrity, and availability impact — and no user interaction required — any AI agent deployment running a pre-2026.5.18 version is exposed to arbitrary code execution on the agent host, where elevated tool permissions typically translate directly to lateral movement and data exfiltration. No public exploit or CISA KEV entry exists yet, but TOCTOU exploitation is well-understood and the low-privilege requirement substantially lowers the bar; the 175 prior CVEs logged against this package signal a pattern of persistent security debt that warrants treating this urgently. Patch to OpenClaw 2026.5.18 immediately; if patching is delayed, restrict network access to agent execution endpoints, disable shell wrapper invocation where feasible, and audit process spawn logs for argv anomalies.

Is CVE-2026-53822 actively exploited?

No confirmed active exploitation of CVE-2026-53822 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53822?

1. PATCH: Upgrade to OpenClaw 2026.5.18 or later immediately — this is the only complete fix. 2. WORKAROUND (if patching is delayed): Restrict submission of commands to OpenClaw agents to the minimum necessary principals; disable shell wrapper execution capabilities where not strictly required. 3. DETECTION: Monitor for unexpected child process spawns from OpenClaw agent processes that don't match known-good allowlisted command patterns; enable auditd or equivalent to capture argv at exec time for post-hoc review. 4. NETWORK: Limit network exposure of OpenClaw agent endpoints to trusted internal segments — the AV:N attack vector means internet-exposed instances are especially at risk. 5. AUDIT: Review all OpenClaw-integrated workflows and assume allowlist controls may have been bypassable since before 2026.5.18 — treat any command audit logs from that window as potentially unreliable.

What systems are affected by CVE-2026-53822?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-automated DevOps pipelines, tool-use orchestration systems, model serving with agent integration.

What is the CVSS score for CVE-2026-53822?

CVE-2026-53822 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI-automated DevOps pipelinestool-use orchestration systemsmodel serving with agent integration

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shapes, potentially bypassing security controls.

Exploitation Scenario

An attacker with low-privilege access to an organization's AI agent platform submits a benign, allowlist-approved command to an OpenClaw agent. Exploiting the TOCTOU race window between the allowlist check and the actual execve call, the attacker modifies the argv array in-process — substituting the approved command with a malicious payload such as a reverse shell or a credential-harvesting script targeting API keys stored in the agent's environment. Because the allowlist validation already completed successfully, the substituted command executes with the agent's full permissions. In environments where OpenClaw agents are integrated into automated pipelines with access to cloud credentials, model weights, training datasets, or downstream infrastructure, this translates to a full host compromise that can pivot to broader organizational infrastructure within minutes.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.