AI Threat Alert

CVE-2026-53824: OpenClaw: stale slash tokens bypass revocation controls

MEDIUM
Published June 12, 2026
CISO Take

OpenClaw before 2026.4.24 fails to immediately enforce token revocation for slash commands, leaving a window where attackers whose credentials have been revoked can continue invoking agent commands until the monitor refreshes its state. In AI agent deployments this matters beyond a standard auth bypass: the post-revocation execution window means a terminated employee or compromised account can trigger tool invocations — data queries, file operations, pipeline calls — even after an administrator believes access has been cut. CVSS rates integrity impact as High with low attack complexity and no user interaction required, meaning any ex-holder of a valid token can exploit this without special knowledge. No public exploit or KEV listing indicates no observed in-the-wild exploitation today, but the low bar to exploit makes patching time-sensitive. Upgrade to OpenClaw 2026.4.24 immediately; as an interim control, force-rotate all slash tokens and audit command logs for executions timestamped after revocation events.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium overall, elevated for organizations with AI agent deployments where slash commands trigger sensitive operations. CVSS 6.5 reflects network-accessible exploitation requiring only low privileges — any previously-authorized user can exploit the revocation lag. The refresh window duration is unspecified but likely seconds to minutes, making real-time exploitation feasible for a motivated insider or compromised-account scenario. No KEV listing and unavailable EPSS data suggest no confirmed in-the-wild exploitation. The 175 other CVEs in the same package signal a historically vulnerability-prone codebase warranting elevated scrutiny beyond this individual finding.

How does the attack unfold?

Credential Holding
Attacker holds a legitimate OpenClaw slash token obtained through prior authorized access or credential compromise.
AML.T0012
Revocation Trigger
Administrator revokes the attacker's slash token in response to termination or detected compromise, believing access is immediately cut.
Revocation Bypass
Attacker sends slash commands using the revoked token during the monitor refresh window; OpenClaw transiently accepts them before the revocation state propagates.
AML.T0091.000
Unauthorized Agent Execution
Agent executes attacker-invoked slash commands — potentially triggering data access, pipeline actions, or downstream tool invocations — before revocation enforcement takes effect.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A None

What should I do?

5 steps

  1. Patch to OpenClaw 2026.4.24 or later immediately.

  2. If patching is not immediately possible, force-rotate all active slash tokens to reset acceptance windows and invalidate any currently exploitable stale tokens.

  3. Audit command execution logs for entries timestamped after token revocation events — any such entries indicate exploitation or an abnormally long refresh window.

  4. Implement network-level controls to block OpenClaw command endpoints for revoked-user source IPs as defense-in-depth.

  5. Review operator configuration for sensitive slash commands and enforce least-privilege token scoping to limit blast radius if the vulnerability is triggered.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0012 AML.T0053 AML.T0091.000 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2.5 - Access control and identity management for AI systems
NIST AI RMF
GOVERN-6.1 - Policies and procedures are in place for the oversight of AI systems
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-53824?

OpenClaw before 2026.4.24 fails to immediately enforce token revocation for slash commands, leaving a window where attackers whose credentials have been revoked can continue invoking agent commands until the monitor refreshes its state. In AI agent deployments this matters beyond a standard auth bypass: the post-revocation execution window means a terminated employee or compromised account can trigger tool invocations — data queries, file operations, pipeline calls — even after an administrator believes access has been cut. CVSS rates integrity impact as High with low attack complexity and no user interaction required, meaning any ex-holder of a valid token can exploit this without special knowledge. No public exploit or KEV listing indicates no observed in-the-wild exploitation today, but the low bar to exploit makes patching time-sensitive. Upgrade to OpenClaw 2026.4.24 immediately; as an interim control, force-rotate all slash tokens and audit command logs for executions timestamped after revocation events.

Is CVE-2026-53824 actively exploited?

No confirmed active exploitation of CVE-2026-53824 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53824?

1. Patch to OpenClaw 2026.4.24 or later immediately. 2. If patching is not immediately possible, force-rotate all active slash tokens to reset acceptance windows and invalidate any currently exploitable stale tokens. 3. Audit command execution logs for entries timestamped after token revocation events — any such entries indicate exploitation or an abnormally long refresh window. 4. Implement network-level controls to block OpenClaw command endpoints for revoked-user source IPs as defense-in-depth. 5. Review operator configuration for sensitive slash commands and enforce least-privilege token scoping to limit blast radius if the vulnerability is triggered.

What systems are affected by CVE-2026-53824?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, slash command integrations, enterprise AI assistant platforms, human-in-the-loop agent pipelines.

What is the CVSS score for CVE-2026-53824?

CVE-2026-53824 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksslash command integrationsenterprise AI assistant platformshuman-in-the-loop agent pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0053 AI Agent Tool Invocation
AML.T0091.000 Application Access Token
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2.5
NIST AI RMF: GOVERN-6.1
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially executing unauthorized actions depending on operator configuration.

Exploitation Scenario

A recently-terminated employee whose OpenClaw slash token was revoked by an administrator immediately begins sending slash commands to the organization's AI agent deployment. Because the monitor has not yet refreshed its revocation state — likely a configurable interval — commands are accepted and executed as if the token were still valid. In a real AI agent context this could trigger tool invocations such as exporting conversation histories, querying internal knowledge bases, or initiating automated pipeline tasks, all completing before the monitor refresh fires and the token is rejected. If the refresh interval is predictable or observable, the attacker can time repeated exploitation windows precisely.

Weaknesses (CWE)

CWE-613 Insufficient Session Expiration

CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

  • [Implementation] Set sessions/credentials expiration date.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
June 12, 2026
Last Modified
June 12, 2026
First Seen
June 13, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
HIGH CVE-2026-53811 8.8

OpenClaw: privilege escalation via identity spoofing

Same package: openclaw
Back to Threat Feed