AI Threat Alert

CVE-2026-53827: OpenClaw: SSRF leaks Gateway credentials via model metadata

MEDIUM
Published June 12, 2026
CISO Take

OpenClaw before 2026.5.2 contains a Server-Side Request Forgery flaw (CWE-918) in its message.action forwarding layer where AI model-controlled metadata determines routing targets for action payloads — Gateway authentication credentials included — without validation. The attack requires only low privileges and no user interaction (CVSS 6.5, C:H), and critically it chains naturally with indirect prompt injection: a poisoned document or retrieval source the agent reads can silently redirect your Gateway tokens to an attacker-controlled listener with no human click required. This vulnerability class directly mirrors AIID #1368, in which malicious OpenClaw skills exfiltrated credentials in the wild in February 2026, confirming active attacker interest in this specific credential surface. Upgrade to 2026.5.2 immediately, rotate all Gateway credentials in affected deployments, and audit outbound action-forwarding logs for anomalous loopback or unexpected destination addresses.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium severity with disproportionate confidentiality impact (CVSS C:H) amplified by an AI-specific threat multiplier: the attack does not require direct code execution because manipulating model input via poisoned retrieval content or tool responses can trigger silent credential exfiltration, bypassing traditional perimeter controls. The 4 downstream dependents limit direct package blast radius, but enterprise OpenClaw deployments with centralized Gateway authentication pools face secondary exposure across every service sharing those credentials. No public exploit or KEV listing currently, but AIID #1368 establishes a proven adversary playbook against OpenClaw's credential surface as recently as February 2026.

How does the attack unfold?

Initial Positioning
Attacker with low-privilege access or control over a data source the OpenClaw agent reads crafts a payload containing a malicious loopback URL embedded in model-controlled action metadata.
AML.T0051.001
SSRF Exploitation
OpenClaw's message.action forwarder consumes the attacker-supplied loopback URL from model metadata without validation and initiates an outbound request to the adversary-controlled endpoint.
AML.T0049
Credential Interception
The full action payload including Gateway authentication tokens is transmitted to the attacker's listener, which captures the credentials.
AML.T0098
Lateral Movement
Stolen Gateway credentials authenticate to connected services, enabling unauthorized API access, data exfiltration, or further pivoting across the AI infrastructure.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Upgrade OpenClaw to 2026.5.2 immediately — see vendor advisory GHSA-grc3-2j34-p6gm for patch details.

  2. Rotate all Gateway credentials and API tokens configured in OpenClaw agent deployments; treat credentials in pre-patch deployments as potentially compromised.

  3. Audit outbound connection logs from OpenClaw hosts for requests to loopback addresses (127.0.0.1, ::1) or unexpected internal destinations in action-forwarding events.

  4. Apply network egress controls to restrict OpenClaw processes to pre-approved outbound destinations, blocking arbitrary loopback forwarding at the host or container level.

  5. Enforce least-privilege Gateway token scopes — prefer short-lived, narrowly-scoped credentials that limit the value of any stolen token.

  6. Deploy model output validation in the action metadata pipeline to detect and reject anomalous URL patterns before the forwarder consumes them.

How is it classified?

Data Extraction Auth Bypass Agent Framework AML.T0049 AML.T0051.001 AML.T0083 AML.T0086 AML.T0098

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.4 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to maintain deployed AI system integrity
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53827?

OpenClaw before 2026.5.2 contains a Server-Side Request Forgery flaw (CWE-918) in its message.action forwarding layer where AI model-controlled metadata determines routing targets for action payloads — Gateway authentication credentials included — without validation. The attack requires only low privileges and no user interaction (CVSS 6.5, C:H), and critically it chains naturally with indirect prompt injection: a poisoned document or retrieval source the agent reads can silently redirect your Gateway tokens to an attacker-controlled listener with no human click required. This vulnerability class directly mirrors AIID #1368, in which malicious OpenClaw skills exfiltrated credentials in the wild in February 2026, confirming active attacker interest in this specific credential surface. Upgrade to 2026.5.2 immediately, rotate all Gateway credentials in affected deployments, and audit outbound action-forwarding logs for anomalous loopback or unexpected destination addresses.

Is CVE-2026-53827 actively exploited?

No confirmed active exploitation of CVE-2026-53827 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53827?

1. Upgrade OpenClaw to 2026.5.2 immediately — see vendor advisory GHSA-grc3-2j34-p6gm for patch details. 2. Rotate all Gateway credentials and API tokens configured in OpenClaw agent deployments; treat credentials in pre-patch deployments as potentially compromised. 3. Audit outbound connection logs from OpenClaw hosts for requests to loopback addresses (127.0.0.1, ::1) or unexpected internal destinations in action-forwarding events. 4. Apply network egress controls to restrict OpenClaw processes to pre-approved outbound destinations, blocking arbitrary loopback forwarding at the host or container level. 5. Enforce least-privilege Gateway token scopes — prefer short-lived, narrowly-scoped credentials that limit the value of any stolen token. 6. Deploy model output validation in the action metadata pipeline to detect and reject anomalous URL patterns before the forwarder consumes them.

What systems are affected by CVE-2026-53827?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI Gateway deployments, multi-agent orchestration systems, API-connected AI workflows.

What is the CVSS score for CVE-2026-53827?

CVE-2026-53827 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI Gateway deploymentsmulti-agent orchestration systemsAPI-connected AI workflows

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0051.001 Indirect
AML.T0083 Credentials from AI Agent Configuration
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0098 AI Agent Tool Credential Harvesting

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM02, LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by providing malicious loopback targets through model-controlled action metadata.

Exploitation Scenario

An attacker targets an enterprise running OpenClaw agents with access to internal APIs via shared Gateway credentials. They poison a document in a retrieval store the agent regularly reads with an indirect prompt injection payload that overrides the action metadata loopback URL with an attacker-controlled address tunneled through an internal-looking hostname. When the OpenClaw agent processes its next scheduled task, the message.action forwarder reads the model-controlled metadata, accepts the attacker's URL without validation, and transmits the full action payload — including Gateway authentication tokens — to the attacker's listener. The attacker captures valid Gateway credentials and uses them to access the organization's AI API gateway, exfiltrating data or pivoting laterally to connected services without triggering endpoint detection on the compromised machine.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
June 12, 2026
Last Modified
June 12, 2026
First Seen
June 13, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-53811 8.8

OpenClaw: privilege escalation via identity spoofing

Same package: openclaw
Back to Threat Feed