CVE-2026-53831: OpenClaw safe-bin allowlist bypass

Q: Is CVE-2026-53831 actively exploited?

No confirmed active exploitation of CVE-2026-53831 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-53831?

1. Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete fix. 2. Restrict operator role: Audit all accounts with operator access; remove it from any account that does not strictly require system.run capability. 3. Workaround (if patching is delayed): Run the OpenClaw process under a restricted OS user with minimal filesystem permissions (no access to .env files, secret stores, or credential directories). Consider disabling system.run entirely if not operationally required. 4. Detection: Scan system.run call logs for shell metacharacters ($, ;, |, &&, backtick, >, <, {, }); alert on any allowlisted command string containing these characters. 5. Credential rotation: Assume any node-local file accessible to the OpenClaw process user may have been read; rotate all API keys, database passwords, and service tokens on affected nodes. 6. Monitor: Alert on unexpected outbound connections or anomalous file access patterns from the OpenClaw process.

Q: What systems are affected by CVE-2026-53831?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Agentic task orchestration pipelines, Multi-tenant AI platforms, AI development and CI/CD environments.

Q: What is the CVSS score for CVE-2026-53831?

CVE-2026-53831 has a CVSS v3.1 base score of 8.3 (HIGH).

CISO Take

OpenClaw's system.run tool validates commands against a safe-bin allowlist but suffers a TOCTOU gap: the allowlist check passes on the surface command string, then POSIX shell expansion rewrites it at execution time, running attacker-controlled instructions entirely outside the approved set. Any authenticated operator — a low-privilege role — can exploit this to read arbitrary node-local files, exposing LLM API keys, database credentials, and agent configuration secrets. With a CVSS of 8.3 (network-reachable, low complexity, no user interaction required), the practical barrier is minimal for anyone holding an operator account, and the 174 prior CVEs in the same package further erode confidence in the codebase's security baseline. Patch to OpenClaw 2026.5.18 or later immediately; if patching is delayed, strip operator role assignment to the minimum necessary set, restrict the OpenClaw process user's filesystem permissions, and rotate all secrets stored on affected nodes.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High. CVSS 8.3 with a network attack vector, low privilege requirement, and no user interaction means any authenticated operator in a shared or multi-tenant OpenClaw deployment can exploit this without specialized AI or security knowledge — shell metacharacter injection is well-understood and scripts are freely available. No public exploit or CISA KEV listing exists today, keeping near-term opportunistic exploitation lower, but the technique transfers trivially from general shell injection tradecraft. Confidentiality and integrity are both rated HIGH by NVD, reflecting the ability to read sensitive files and potentially chain into downstream service compromise. The 4 downstream dependents constrain blast radius at the package level, but AI agent deployments handle high-value credentials that make even narrow exploitation disproportionately impactful.

How does the attack unfold?

Initial Access

Adversary obtains low-privilege operator credentials for the OpenClaw deployment via legitimate provisioning, credential theft, or a compromised CI pipeline service account.

AML.T0012

Allowlist Bypass

Adversary crafts a system.run call combining an allowlisted binary with shell metacharacters (semicolon, backtick, subshell) that pass validation on the surface string but cause shell expansion to rewrite the command at execution time.

AML.T0053

Local File Collection

Shell expansion executes attacker-controlled commands on the POSIX node, reading arbitrary configuration files (.env, agent config, OS credential stores) outside the operator's authorized scope.

AML.T0037

Credential Exfiltration & Lateral Movement

Captured secrets (LLM API keys, database credentials, internal service tokens) are used to access downstream AI services directly or escalate privileges across the connected AI stack.

AML.T0083

Initial Access

Adversary obtains low-privilege operator credentials for the OpenClaw deployment via legitimate provisioning, credential theft, or a compromised CI pipeline service account.

AML.T0012

Allowlist Bypass

Adversary crafts a system.run call combining an allowlisted binary with shell metacharacters (semicolon, backtick, subshell) that pass validation on the surface string but cause shell expansion to rewrite the command at execution time.

AML.T0053

Local File Collection

Shell expansion executes attacker-controlled commands on the POSIX node, reading arbitrary configuration files (.env, agent config, OS credential stores) outside the operator's authorized scope.

AML.T0037

Credential Exfiltration & Lateral Movement

Captured secrets (LLM API keys, database credentials, internal service tokens) are used to access downstream AI services directly or escalate privileges across the connected AI stack.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

6 steps

Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete fix.
Restrict operator role: Audit all accounts with operator access; remove it from any account that does not strictly require system.run capability.
Workaround (if patching is delayed): Run the OpenClaw process under a restricted OS user with minimal filesystem permissions (no access to .env files, secret stores, or credential directories). Consider disabling system.run entirely if not operationally required.
Detection: Scan system.run call logs for shell metacharacters ($, ;, |, &&, backtick, >, <, {, }); alert on any allowlisted command string containing these characters.
Credential rotation: Assume any node-local file accessible to the OpenClaw process user may have been read; rotate all API keys, database passwords, and service tokens on affected nodes.
Monitor: Alert on unexpected outbound connections or anomalous file access patterns from the OpenClaw process.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Plugin AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to respond to and recover from AI risks

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-53831?

OpenClaw's system.run tool validates commands against a safe-bin allowlist but suffers a TOCTOU gap: the allowlist check passes on the surface command string, then POSIX shell expansion rewrites it at execution time, running attacker-controlled instructions entirely outside the approved set. Any authenticated operator — a low-privilege role — can exploit this to read arbitrary node-local files, exposing LLM API keys, database credentials, and agent configuration secrets. With a CVSS of 8.3 (network-reachable, low complexity, no user interaction required), the practical barrier is minimal for anyone holding an operator account, and the 174 prior CVEs in the same package further erode confidence in the codebase's security baseline. Patch to OpenClaw 2026.5.18 or later immediately; if patching is delayed, strip operator role assignment to the minimum necessary set, restrict the OpenClaw process user's filesystem permissions, and rotate all secrets stored on affected nodes.

Is CVE-2026-53831 actively exploited?

No confirmed active exploitation of CVE-2026-53831 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53831?

1. Patch: Upgrade OpenClaw to 2026.5.18 or later immediately — this is the only complete fix. 2. Restrict operator role: Audit all accounts with operator access; remove it from any account that does not strictly require system.run capability. 3. Workaround (if patching is delayed): Run the OpenClaw process under a restricted OS user with minimal filesystem permissions (no access to .env files, secret stores, or credential directories). Consider disabling system.run entirely if not operationally required. 4. Detection: Scan system.run call logs for shell metacharacters ($, ;, |, &&, backtick, >, <, {, }); alert on any allowlisted command string containing these characters. 5. Credential rotation: Assume any node-local file accessible to the OpenClaw process user may have been read; rotate all API keys, database passwords, and service tokens on affected nodes. 6. Monitor: Alert on unexpected outbound connections or anomalous file access patterns from the OpenClaw process.

What systems are affected by CVE-2026-53831?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Agentic task orchestration pipelines, Multi-tenant AI platforms, AI development and CI/CD environments.

What is the CVSS score for CVE-2026-53831?

CVE-2026-53831 has a CVSS v3.1 base score of 8.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAgentic task orchestration pipelinesMulti-tenant AI platformsAI development and CI/CD environments

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: Clause 6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07:2023

What are the technical details?

Original Advisory

OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metacharacters in approved commands to read unintended node-local files and expose sensitive configuration data.

Exploitation Scenario

An authenticated operator — a developer, automated CI pipeline service account, or a compromised internal user — submits a system.run call using an approved binary such as 'cat' or 'echo', appending a shell metacharacter payload: for example, 'cat /tmp/approved-file; cat /opt/openclaw/.env'. The safe-bin allowlist validates 'cat' as permitted and passes the full string to the POSIX shell. The shell interprets the semicolon as a command separator, executing both the approved read and the attacker-controlled read. The contents of /opt/openclaw/.env — likely containing OPENAI_API_KEY, DATABASE_URL, CLERK_SECRET_KEY, or equivalent — are returned to the operator. The adversary then uses these credentials to call the LLM provider directly, query the vector database with no audit trail, or escalate privileges across connected services, potentially reaching the broader AI infrastructure. This attack path closely mirrors the credential exfiltration pattern documented in AIID #1368 for the OpenClaw ecosystem.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.