AI Threat Alert

CVE-2026-53838: OpenClaw: approval scope bypass via reconnection state

MEDIUM
Published June 12, 2026
CISO Take

OpenClaw's node pairing reconnection logic contains a state mutation flaw (CWE-367) that allows an already-paired node to confuse the platform's approval scope engine, effectively granting itself authority beyond what was originally sanctioned. For organizations running AI agent workflows on OpenClaw, this means a compromised or rogue paired node can escalate its operational permissions without triggering normal approval gates — removing the human-in-the-loop control that governs what autonomous actions the agent may take. With a CVSS of 6.5, network accessibility, low attack complexity, no user interaction required, and 174 prior CVEs in this package signaling systemic security debt, the platform warrants elevated scrutiny even absent active exploitation or a public proof-of-concept. Upgrade immediately to any OpenClaw release published after 2026.5.27, restrict paired-node API access to trusted network segments, and audit all current node approval scope assignments for anomalous breadth.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium severity (CVSS 6.5) with meaningful AI-specific risk amplification beyond the base score. The vulnerability is straightforwardly exploitable by any low-privileged actor who has established a paired-node relationship — no advanced tooling required. In an AI agent context, bypassing approval scope restrictions is disproportionately dangerous because it eliminates the enforcement layer that keeps human oversight meaningful. Blast radius is partially contained by a small downstream dependent count (4), but the 174 CVEs in the same package indicate a pattern of security weaknesses that raises platform-level risk. No active exploitation, no KEV listing, no public PoC at time of analysis.

How does the attack unfold?

Initial Access
Attacker obtains a legitimate or compromised low-privilege paired-node credential for an OpenClaw deployment, establishing the minimal trust relationship required to trigger reconnection logic.
AML.T0049
Exploitation
Attacker forces or waits for a reconnection event and sends crafted pairing messages that trigger the CWE-367 state mutation, causing OpenClaw to assign the node a broader approval scope than it was originally granted.
AML.T0107
Privilege Escalation
The node now presents elevated authority to the OpenClaw approval engine, bypassing scope restrictions without generating standard approval requests or audit events.
AML.T0081
Impact
The escalated node autonomously invokes tools or actions — file writes, external API calls, shell commands — that should have required explicit human or higher-privilege approval, operating outside sanctioned boundaries.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A None

What should I do?

5 steps

  1. Patch: upgrade OpenClaw to any release after 2026.5.27 — confirm exact fixed version via vendor advisory GHSA-83w9-h5wv-j9xm before deploying.

  2. Network isolation: restrict the OpenClaw node-pairing and reconnection API surface to trusted internal network segments; block externally-reachable pairing endpoints at the firewall.

  3. Scope audit: enumerate all paired nodes and verify their assigned approval scopes match intended permissions — flag any node with unexpectedly broad authority for manual review.

  4. Detection: enable structured logging on approval scope decisions and alert on any scope change occurring during or immediately after a reconnection event.

  5. Threat hunt: review recent reconnection events in logs for nodes that gained scope elevation without a corresponding administrative approval action.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0049 AML.T0053 AML.T0081 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 14 - Human oversight
ISO 42001
8.4 - AI system operation
NIST AI RMF
GOVERN 1.7 - Processes for AI risk management
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53838?

OpenClaw's node pairing reconnection logic contains a state mutation flaw (CWE-367) that allows an already-paired node to confuse the platform's approval scope engine, effectively granting itself authority beyond what was originally sanctioned. For organizations running AI agent workflows on OpenClaw, this means a compromised or rogue paired node can escalate its operational permissions without triggering normal approval gates — removing the human-in-the-loop control that governs what autonomous actions the agent may take. With a CVSS of 6.5, network accessibility, low attack complexity, no user interaction required, and 174 prior CVEs in this package signaling systemic security debt, the platform warrants elevated scrutiny even absent active exploitation or a public proof-of-concept. Upgrade immediately to any OpenClaw release published after 2026.5.27, restrict paired-node API access to trusted network segments, and audit all current node approval scope assignments for anomalous breadth.

Is CVE-2026-53838 actively exploited?

No confirmed active exploitation of CVE-2026-53838 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53838?

1. Patch: upgrade OpenClaw to any release after 2026.5.27 — confirm exact fixed version via vendor advisory GHSA-83w9-h5wv-j9xm before deploying. 2. Network isolation: restrict the OpenClaw node-pairing and reconnection API surface to trusted internal network segments; block externally-reachable pairing endpoints at the firewall. 3. Scope audit: enumerate all paired nodes and verify their assigned approval scopes match intended permissions — flag any node with unexpectedly broad authority for manual review. 4. Detection: enable structured logging on approval scope decisions and alert on any scope change occurring during or immediately after a reconnection event. 5. Threat hunt: review recent reconnection events in logs for nodes that gained scope elevation without a corresponding administrative approval action.

What systems are affected by CVE-2026-53838?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, autonomous AI pipelines.

What is the CVSS score for CVE-2026-53838?

CVE-2026-53838 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationautonomous AI pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 14
ISO 42001: 8.4
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions.

Exploitation Scenario

An attacker operating a compromised or rogue node that has previously been legitimately paired with an OpenClaw deployment initiates a forced reconnection sequence — either by inducing a network disruption or by directly invoking the reconnection API with low-privilege credentials. During the reconnection handshake, they send crafted pairing messages that trigger the CWE-367 state mutation, causing OpenClaw to restore or assign a broader approval scope than the node originally held. The node now presents elevated authority to the approval engine, bypassing scope restrictions without generating standard approval requests. In an OpenClaw-orchestrated AI pipeline, the escalated node can autonomously invoke tools or actions — database reads, shell commands, external webhook calls — that would normally require explicit human approval or higher-privilege credentials, effectively operating outside sanctioned boundaries without any visible alert.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

  • [Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
  • [Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
June 12, 2026
Last Modified
June 12, 2026
First Seen
June 13, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
HIGH CVE-2026-53811 8.8

OpenClaw: privilege escalation via identity spoofing

Same package: openclaw
Back to Threat Feed