CVE-2026-53843: OpenClaw revocation bypass grants

CISO Take

OpenClaw before version 2026.5.26 contains an authorization bypass (CWE-613, Insufficient Session Expiration) that allows any attacker holding a previously-paired device session to silently re-establish WebSocket node-level access even after an administrator has explicitly revoked it. With a CVSS of 8.8, network-accessible attack surface, low attack complexity, and no user interaction required, this vulnerability directly defeats the revocation controls that security teams rely on to contain compromised access during incident response. In AI agent deployments, node-level WebSocket access translates to the ability to observe, inject into, or manipulate agent workflows—making this a persistence vector that survives standard containment actions. Patch immediately to 2026.5.26; if patching cannot be done immediately, rotate all node tokens, invalidate all pairing-scoped device sessions, and restrict WebSocket access to trusted network segments.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High severity. CVSS 8.8 with AV:N/AC:L/PR:L/UI:N places this in the range exploitable by any low-privileged attacker who previously achieved device pairing. The core danger is that it defeats a fundamental security primitive: access revocation. An attacker who establishes a foothold through social engineering, a compromised endpoint, or insider access becomes effectively permanent even after detection and response. No public exploits or Nuclei scanner templates exist at time of disclosure and EPSS data is not yet available, but the trivially low attack complexity means exploitation risk will escalate rapidly as awareness of this disclosure spreads.

How does the attack unfold?

Initial Access

Attacker leverages a previously-paired device session obtained through prior legitimate access, social engineering, or endpoint compromise—the session was not properly invalidated upon administrative revocation.

AML.T0012

Token Re-establishment

The attacker's client uses the surviving pairing-scoped device session to re-establish node token authority via WebSocket, bypassing revocation controls without triggering administrator notification.

AML.T0091.000

Persistence

Attacker maintains continuous unauthorized WebSocket node-level access to the OpenClaw deployment while the security team believes the threat was contained during the incident response action.

AML.T0108

Impact

Attacker observes agent activity, injects malicious tasks into the agent execution queue, exfiltrates tool outputs and sensitive retrieved data, or manipulates AI agent workflows through the persistent unauthorized node connection.

AML.T0053

Initial Access

Attacker leverages a previously-paired device session obtained through prior legitimate access, social engineering, or endpoint compromise—the session was not properly invalidated upon administrative revocation.

AML.T0012

Token Re-establishment

The attacker's client uses the surviving pairing-scoped device session to re-establish node token authority via WebSocket, bypassing revocation controls without triggering administrator notification.

AML.T0091.000

Persistence

Attacker maintains continuous unauthorized WebSocket node-level access to the OpenClaw deployment while the security team believes the threat was contained during the incident response action.

AML.T0108

Impact

Attacker observes agent activity, injects malicious tasks into the agent execution queue, exfiltrates tool outputs and sensitive retrieved data, or manipulates AI agent workflows through the persistent unauthorized node connection.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade to OpenClaw 2026.5.26 or later immediately—this is the only complete remediation.
If patching must be deferred, manually invalidate and rotate all active node tokens and pairing-scoped device sessions across the deployment.
Audit WebSocket connection logs for re-establishment events that follow revocation actions—these are direct indicators of exploitation or attempted exploitation.
Restrict WebSocket access to known, trusted IP ranges via firewall rules or network policy controls.
Review and reduce tool permissions granted to OpenClaw agent nodes to limit blast radius if unauthorized access is already in progress.
Implement alerting on WebSocket reconnection events from devices flagged as revoked.

How is it classified?

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0091.000 - Application Access Token AML.T0108 - AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - System and application access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to and recover from AI risks are in place

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53843?

OpenClaw before version 2026.5.26 contains an authorization bypass (CWE-613, Insufficient Session Expiration) that allows any attacker holding a previously-paired device session to silently re-establish WebSocket node-level access even after an administrator has explicitly revoked it. With a CVSS of 8.8, network-accessible attack surface, low attack complexity, and no user interaction required, this vulnerability directly defeats the revocation controls that security teams rely on to contain compromised access during incident response. In AI agent deployments, node-level WebSocket access translates to the ability to observe, inject into, or manipulate agent workflows—making this a persistence vector that survives standard containment actions. Patch immediately to 2026.5.26; if patching cannot be done immediately, rotate all node tokens, invalidate all pairing-scoped device sessions, and restrict WebSocket access to trusted network segments.

Is CVE-2026-53843 actively exploited?

No confirmed active exploitation of CVE-2026-53843 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53843?

1. Upgrade to OpenClaw 2026.5.26 or later immediately—this is the only complete remediation. 2. If patching must be deferred, manually invalidate and rotate all active node tokens and pairing-scoped device sessions across the deployment. 3. Audit WebSocket connection logs for re-establishment events that follow revocation actions—these are direct indicators of exploitation or attempted exploitation. 4. Restrict WebSocket access to known, trusted IP ranges via firewall rules or network policy controls. 5. Review and reduce tool permissions granted to OpenClaw agent nodes to limit blast radius if unauthorized access is already in progress. 6. Implement alerting on WebSocket reconnection events from devices flagged as revoked.

What systems are affected by CVE-2026-53843?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent orchestration, WebSocket-connected agent nodes, multi-agent systems.

What is the CVSS score for CVE-2026-53843?

CVE-2026-53843 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent orchestrationWebSocket-connected agent nodesmulti-agent systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0091.000 Application Access Token

AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.

Exploitation Scenario

A threat actor—whether a former employee, a compromised developer endpoint, or an insider—previously paired a device with an OpenClaw deployment. After the pairing is discovered and an administrator explicitly revokes the session, the attacker's client uses the surviving pairing-scoped device session to silently re-establish the WebSocket connection and reclaim node token authority without any administrator approval or alert. In an AI agent context, the attacker now has persistent access to observe all agent activity, inject malicious instructions into the agent's task queue, exfiltrate sensitive outputs including API responses, retrieved documents, and tool results, or manipulate agent behavior at will—all while the security team believes the threat has been contained and the incident is closed.

Weaknesses (CWE)

CWE-613 Insufficient Session Expiration Primary

CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."