CVE-2026-53836: OpenClaw PowerShell allowlist bypass

CISO Take

OpenClaw before 2026.5.12 fails to recognize abbreviated PowerShell encoded-command flag aliases (such as -enc or -e) in its allowlist parser, allowing any authenticated remote operator to execute arbitrary PowerShell on the agent host — with full confidentiality, integrity, and availability impact. A CVSS of 8.8 combined with network reachability, low complexity, and only low-privilege requirements makes this trivially exploitable by any user with valid credentials, no AI or security expertise required. AI agent frameworks like OpenClaw routinely hold environment variables containing LLM API keys, database credentials, and downstream service tokens, meaning RCE on the agent host is functionally a keys-to-the-kingdom event for the entire AI pipeline. The package's history of 174 prior CVEs and documented real-world ecosystem abuse for credential theft via AMOS stealer (AIID #1368) further elevates the credibility of active exploitation. Upgrade to OpenClaw 2026.5.12 immediately; if patching is blocked, restrict authenticated access to trusted operators only and enable PowerShell script block logging to detect abbreviated alias usage.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High risk with elevated practical urgency. The CVSS 8.8 vector (AV:N/AC:L/PR:L/UI:N) describes a remotely exploitable flaw requiring minimal attacker capability — any authenticated user can trigger it. The full CIA triad impact (C:H/I:H/A:H) on a system that, by design, holds privileged access to downstream AI infrastructure amplifies blast radius far beyond the individual host. The package's track record of 174 CVEs signals persistent security debt, and documented real-world abuse of the OpenClaw ecosystem (AIID #1368) suggests motivated threat actors are already targeting this attack surface. No public exploit exists yet, but the bypass technique — using alternate flag aliases PowerShell natively accepts — is discoverable through basic manual testing.

How does the attack unfold?

Initial Access

Adversary authenticates to OpenClaw with low-privilege credentials obtained via phishing, credential stuffing, or a compromised service account.

AML.T0012

Allowlist Bypass

Adversary submits a PowerShell invocation using an abbreviated encoded-command alias (e.g., -enc or -e) that OpenClaw's parser does not recognize, causing the allowlist check to pass.

AML.T0107

Arbitrary Code Execution

PowerShell decodes and executes the adversary's base64-encoded payload on the agent host under the OpenClaw service account's permissions.

AML.T0050

Credential Harvest and Pivot

Adversary extracts LLM API keys, database credentials, and cloud tokens from the agent environment and pivots to connected AI infrastructure including vector databases, model inference endpoints, and downstream pipelines.

AML.T0055

Initial Access

Adversary authenticates to OpenClaw with low-privilege credentials obtained via phishing, credential stuffing, or a compromised service account.

AML.T0012

Allowlist Bypass

Adversary submits a PowerShell invocation using an abbreviated encoded-command alias (e.g., -enc or -e) that OpenClaw's parser does not recognize, causing the allowlist check to pass.

AML.T0107

Arbitrary Code Execution

PowerShell decodes and executes the adversary's base64-encoded payload on the agent host under the OpenClaw service account's permissions.

AML.T0050

Credential Harvest and Pivot

Adversary extracts LLM API keys, database credentials, and cloud tokens from the agent environment and pivots to connected AI infrastructure including vector databases, model inference endpoints, and downstream pipelines.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Upgrade to OpenClaw 2026.5.12 or later immediately — this release patches the allowlist parser to recognize all valid PowerShell encoded-command flag aliases.
If immediate patching is not feasible, restrict OpenClaw API access to a named allowlist of trusted operator accounts and enforce network segmentation so only authorized systems can reach the service.
Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging on all OpenClaw hosts to detect invocations using abbreviated flag aliases (-enc, -e, -ec, -en).
Audit installed OpenClaw skills against AIID #1368 indicators — cross-check skill sources against ClawHub-sourced packages flagged as malicious.
Rotate all credentials and API keys stored as environment variables on OpenClaw agent hosts as a precautionary measure following any unpatched exposure window.

How is it classified?

Auth Bypass Code Execution Agent AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system technical security controls

NIST AI RMF

MS-2.5 - Respond to identified AI risks

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53836?

OpenClaw before 2026.5.12 fails to recognize abbreviated PowerShell encoded-command flag aliases (such as -enc or -e) in its allowlist parser, allowing any authenticated remote operator to execute arbitrary PowerShell on the agent host — with full confidentiality, integrity, and availability impact. A CVSS of 8.8 combined with network reachability, low complexity, and only low-privilege requirements makes this trivially exploitable by any user with valid credentials, no AI or security expertise required. AI agent frameworks like OpenClaw routinely hold environment variables containing LLM API keys, database credentials, and downstream service tokens, meaning RCE on the agent host is functionally a keys-to-the-kingdom event for the entire AI pipeline. The package's history of 174 prior CVEs and documented real-world ecosystem abuse for credential theft via AMOS stealer (AIID #1368) further elevates the credibility of active exploitation. Upgrade to OpenClaw 2026.5.12 immediately; if patching is blocked, restrict authenticated access to trusted operators only and enable PowerShell script block logging to detect abbreviated alias usage.

Is CVE-2026-53836 actively exploited?

No confirmed active exploitation of CVE-2026-53836 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53836?

1. Upgrade to OpenClaw 2026.5.12 or later immediately — this release patches the allowlist parser to recognize all valid PowerShell encoded-command flag aliases. 2. If immediate patching is not feasible, restrict OpenClaw API access to a named allowlist of trusted operator accounts and enforce network segmentation so only authorized systems can reach the service. 3. Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging on all OpenClaw hosts to detect invocations using abbreviated flag aliases (-enc, -e, -ec, -en). 4. Audit installed OpenClaw skills against AIID #1368 indicators — cross-check skill sources against ClawHub-sourced packages flagged as malicious. 5. Rotate all credentials and API keys stored as environment variables on OpenClaw agent hosts as a precautionary measure following any unpatched exposure window.

What systems are affected by CVE-2026-53836?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-orchestrated automation pipelines, multi-agent systems.

What is the CVSS score for CVE-2026-53836?

CVE-2026-53836 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI-orchestrated automation pipelinesmulti-agent systems

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.5

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to execute encoded commands using abbreviated flag aliases not recognized by the allowlist parser. Remote authenticated operators can bypass execution allowlist checks by using unrecognized encoded-command alias forms to execute arbitrary PowerShell content.

Exploitation Scenario

An adversary with low-privilege authenticated access to an organization's OpenClaw deployment — obtained via phishing, credential stuffing, or a compromised CI/CD service account — crafts a PowerShell invocation using the -enc abbreviated alias instead of the full -EncodedCommand flag. The OpenClaw allowlist parser, keyed only to the full flag string, treats the request as permitted and passes it for execution. PowerShell decodes and runs the attacker's base64-encoded payload — a lightweight reverse shell or credential harvester — under the OpenClaw service account context. The adversary immediately enumerates environment variables, recovering LLM API keys, database connection strings, and cloud provider tokens. From this foothold they pivot laterally: querying the connected vector database for proprietary training data, issuing requests against the LLM inference endpoint to exfiltrate system prompts, and potentially deploying persistence via OpenClaw's own skill installation mechanism.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.