CVE-2026-53835: OpenClaw auth bypass

CISO Take

CVE-2026-53835 is an authorization bypass (CWE-863) in OpenClaw's Feishu dynamic-agent binding feature that lets any authenticated user—regardless of privilege level—create or update agent-sender bindings while silently ignoring configured config-write controls. In AI agent deployments, controlling which sender is bound to which agent is a core access-control boundary; bypassing it can allow an attacker to redirect agent capabilities, potentially expanding what operations they can trigger through the agent. With 4 downstream dependents, no public exploit, no KEV listing, and a CVSS of 4.3, the immediate threat is modest—but this package carries 174 prior CVEs, a track record that warrants scrutiny of any production deployment. Patch to OpenClaw 2026.5.6 or later immediately and audit all existing Feishu dynamic-agent bindings for unauthorized modifications.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk overall, though context-dependent. The CVSS 4.3 (AV:N/AC:L/PR:L/UI:N) means exploitation is trivially easy for any authenticated user over the network with no special conditions. The rated integrity impact is low (I:L) with no confidentiality or availability impact per the base score, but this understates real-world exposure in agent deployments: if the compromised binding connects to an agent with elevated tooling access, the attacker's operational reach expands well beyond what the CVSS score conveys. The 174 prior CVEs in OpenClaw signal a systemic security debt that should factor into deployment decisions.

How does the attack unfold?

Authenticated Access

Attacker authenticates to the OpenClaw deployment using any valid low-privilege account—such as a compromised contractor credential or a standard internal user account.

AML.T0012

Config Bypass Exploitation

Attacker crafts an API request to the Feishu dynamic-agent binding endpoint; config-write controls mandated by policy are not enforced (CWE-863), allowing the request to succeed without authorization.

AML.T0081

Unauthorized Binding Creation

Attacker successfully binds their account to a high-privilege agent ordinarily restricted to authorized senders, or re-binds an existing agent away from its legitimate sender.

AML.T0084

Agent Capability Abuse

Attacker invokes the newly bound agent's tools and capabilities beyond their authorization level, reaching internal data sources, automation workflows, or connected enterprise systems through the agent as a proxy.

AML.T0053

Authenticated Access

Attacker authenticates to the OpenClaw deployment using any valid low-privilege account—such as a compromised contractor credential or a standard internal user account.

AML.T0012

Config Bypass Exploitation

Attacker crafts an API request to the Feishu dynamic-agent binding endpoint; config-write controls mandated by policy are not enforced (CWE-863), allowing the request to succeed without authorization.

AML.T0081

Unauthorized Binding Creation

Attacker successfully binds their account to a high-privilege agent ordinarily restricted to authorized senders, or re-binds an existing agent away from its legitimate sender.

AML.T0084

Agent Capability Abuse

Attacker invokes the newly bound agent's tools and capabilities beyond their authorization level, reaching internal data sources, automation workflows, or connected enterprise systems through the agent as a proxy.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A None

What should I do?

5 steps

Upgrade OpenClaw to version 2026.5.6 or later immediately—this release contains the fix.
Audit all existing Feishu dynamic-agent bindings in your deployment for unauthorized or unexpected entries; focus on bindings created or modified between the package's prior version and the patch.
Restrict OpenClaw API access at the network perimeter to trusted internal hosts while patching is in progress.
Apply least-privilege to all agent-tool bindings—revoke any agent access to tooling it does not actively require.
Enable and alert on binding change events, treating any binding modification from non-administrative accounts as a high-priority security event pending investigation.

How is it classified?

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system roles and responsibilities

NIST AI RMF

GOVERN 6.1 - Policies and procedures for organizational roles and responsibilities

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53835?

CVE-2026-53835 is an authorization bypass (CWE-863) in OpenClaw's Feishu dynamic-agent binding feature that lets any authenticated user—regardless of privilege level—create or update agent-sender bindings while silently ignoring configured config-write controls. In AI agent deployments, controlling which sender is bound to which agent is a core access-control boundary; bypassing it can allow an attacker to redirect agent capabilities, potentially expanding what operations they can trigger through the agent. With 4 downstream dependents, no public exploit, no KEV listing, and a CVSS of 4.3, the immediate threat is modest—but this package carries 174 prior CVEs, a track record that warrants scrutiny of any production deployment. Patch to OpenClaw 2026.5.6 or later immediately and audit all existing Feishu dynamic-agent bindings for unauthorized modifications.

Is CVE-2026-53835 actively exploited?

No confirmed active exploitation of CVE-2026-53835 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53835?

1. Upgrade OpenClaw to version 2026.5.6 or later immediately—this release contains the fix. 2. Audit all existing Feishu dynamic-agent bindings in your deployment for unauthorized or unexpected entries; focus on bindings created or modified between the package's prior version and the patch. 3. Restrict OpenClaw API access at the network perimeter to trusted internal hosts while patching is in progress. 4. Apply least-privilege to all agent-tool bindings—revoke any agent access to tooling it does not actively require. 5. Enable and alert on binding change events, treating any binding modification from non-administrative accounts as a high-priority security event pending investigation.

What systems are affected by CVE-2026-53835?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, enterprise chat-integrated AI agents.

What is the CVSS score for CVE-2026-53835?

CVE-2026-53835 has a CVSS v3.1 base score of 4.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration platformsenterprise chat-integrated AI agents

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the dynamic-agent binding feature to change sender-agent binding state beyond intended policy, potentially enabling unauthorized binding modifications.

Exploitation Scenario

An attacker holding a low-privilege OpenClaw account—such as a compromised contractor credential or a standard internal user account—sends a crafted API request to the Feishu dynamic-agent binding endpoint, specifying a binding to a high-privilege agent ordinarily restricted to admin or elevated senders. The config-write controls that should reject this request are not enforced, and the binding is created silently. The attacker can now invoke that agent's capabilities—triggering automation workflows, accessing internal data sources, or interacting with connected enterprise systems—effectively escalating their operational reach through the agent without any direct privilege escalation or credential theft in the traditional sense.

Weaknesses (CWE)

CWE-863 Incorrect Authorization

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.