AI Threat Alert

CVE-2026-53829: OpenClaw: approval truncation bypasses exec oversight

HIGH
Published June 12, 2026
CISO Take

OpenClaw before 2026.5.18 truncates oversized exec commands in its approval UI, allowing an authenticated low-privilege attacker to smuggle malicious command suffixes past human reviewers who see only the benign prefix. This directly subverts human-in-the-loop controls — the primary safety mechanism organizations deploy to constrain AI agent actions — with potential for full confidentiality, integrity, and availability compromise (CVSS 8.0, C:H/I:H/A:H). The package carries 175 prior CVEs and 4 downstream dependents, signaling systemic security debt that warrants scrutiny before expanding agentic deployments. Patch immediately to 2026.5.18, audit approval logs for anomalously long commands that may have exploited this truncation window, and enforce command-length caps or full-text display as interim controls.

Sources: NVD GitHub Advisory ATLAS vendor-advisory (github.com/openclaw) third-party-advisory (vulncheck.com)

What is the risk?

High risk for any organization using OpenClaw in human-in-the-loop agentic workflows. Attack complexity is low, only low privileges are required, and the network attack vector means exposure is broad wherever OpenClaw is internet-reachable. The critical factor is that this vulnerability defeats the approval control itself — meaning blast radius is proportional to the agent's authorized capabilities, not to the attacker's privilege level. The 175 prior CVEs in this package suggest a pattern of security debt that compounds overall risk.

How does the attack unfold?

Authenticated Access
Attacker obtains a low-privilege authenticated account in the target OpenClaw deployment via compromised credentials or social engineering.
AML.T0012
Malicious Command Crafting
Attacker constructs an oversized exec command with a routine benign prefix followed by a malicious payload designed to exceed the approval UI's display truncation threshold.
AML.T0074
Approval Bypass via Truncation
Human approver sees only the benign prefix in the truncated display and approves the request, unknowingly authorizing the full malicious command string.
AML.T0107
Unauthorized Execution and Impact
OpenClaw executes the complete untruncated command including the hidden malicious suffix, resulting in unauthorized data access, system modification, or availability disruption (C:H/I:H/A:H).
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
8.0 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete fix.

  2. Audit: Review recent approval logs for commands significantly exceeding average length; focus on approvals where truncation may have hidden content.

  3. Interim workaround: If patching is delayed, restrict OpenClaw exec permissions to minimum required scope and require multi-reviewer approval for commands above a defined character threshold.

  4. Detection: Alert in SIEM on exec command lengths exceeding your display limit; monitor for unexpected operations following approvals.

  5. Architecture: Evaluate whether OpenClaw deployments have data or infrastructure access that would amplify impact if exploited — reduce blast radius through least-privilege agent scoping.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0011 AML.T0053 AML.T0074 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 14 - Human oversight
ISO 42001
8.4 - Human oversight of AI systems
NIST AI RMF
GOVERN 6.2 - Human oversight and control
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53829?

OpenClaw before 2026.5.18 truncates oversized exec commands in its approval UI, allowing an authenticated low-privilege attacker to smuggle malicious command suffixes past human reviewers who see only the benign prefix. This directly subverts human-in-the-loop controls — the primary safety mechanism organizations deploy to constrain AI agent actions — with potential for full confidentiality, integrity, and availability compromise (CVSS 8.0, C:H/I:H/A:H). The package carries 175 prior CVEs and 4 downstream dependents, signaling systemic security debt that warrants scrutiny before expanding agentic deployments. Patch immediately to 2026.5.18, audit approval logs for anomalously long commands that may have exploited this truncation window, and enforce command-length caps or full-text display as interim controls.

Is CVE-2026-53829 actively exploited?

No confirmed active exploitation of CVE-2026-53829 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53829?

1. Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete fix. 2. Audit: Review recent approval logs for commands significantly exceeding average length; focus on approvals where truncation may have hidden content. 3. Interim workaround: If patching is delayed, restrict OpenClaw exec permissions to minimum required scope and require multi-reviewer approval for commands above a defined character threshold. 4. Detection: Alert in SIEM on exec command lengths exceeding your display limit; monitor for unexpected operations following approvals. 5. Architecture: Evaluate whether OpenClaw deployments have data or infrastructure access that would amplify impact if exploited — reduce blast radius through least-privilege agent scoping.

What systems are affected by CVE-2026-53829?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Human-in-the-loop approval pipelines, Agentic automation workflows, Enterprise AI orchestration platforms.

What is the CVSS score for CVE-2026-53829?

CVE-2026-53829 has a CVSS v3.1 base score of 8.0 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksHuman-in-the-loop approval pipelinesAgentic automation workflowsEnterprise AI orchestration platforms

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0053 AI Agent Tool Invocation
AML.T0074 Masquerading
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 14
ISO 42001: 8.4
NIST AI RMF: GOVERN 6.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval.

Exploitation Scenario

An attacker with a low-privilege OpenClaw account constructs an exec request beginning with a routine, recognizable operation (e.g., 'list files in /var/data/reports') followed by several hundred additional characters pushing a malicious payload — credential harvesting, data exfiltration, or destructive deletion — beyond the approval UI's display cutoff. The human approver reviews the truncated display, sees only the benign prefix, and approves the request. OpenClaw executes the full command string, completing the unauthorized operation with full C:H/I:H/A:H system impact, all while appearing as a legitimately approved action in audit logs.

Weaknesses (CWE)

CWE-451 User Interface (UI) Misrepresentation of Critical Information

CWE-451 — User Interface (UI) Misrepresentation of Critical Information: The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

  • [Implementation] Perform data validation (e.g. syntax, length, etc.) before interpreting the data.
  • [Architecture and Design] Create a strategy for presenting information, and plan for how to display unusual characters.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 12, 2026
Last Modified
June 12, 2026
First Seen
June 13, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
HIGH CVE-2026-53811 8.8

OpenClaw: privilege escalation via identity spoofing

Same package: openclaw
Back to Threat Feed