AI Threat Alert

CVE-2026-53844: OpenClaw: auth bypass exposes cross-session agent memory

MEDIUM
Published June 16, 2026
CISO Take

OpenClaw, an AI agent framework, contains a session visibility check bypass in its shared memory search that permits any authenticated caller to retrieve memory entries belonging to other sessions. The flaw is network-accessible with low complexity and requires only low privileges, meaning any valid account — including a compromised one — is sufficient to trigger it. While CISA has not added this to KEV and no public exploit code is known, CWE-862 (Missing Authorization) vulnerabilities in AI agent shared memory carry outsized risk: agent memory routinely contains embedded API credentials, proprietary system prompts, and sensitive conversation history from concurrent sessions. Upgrade to OpenClaw 2026.4.29 or later immediately; until patched, restrict shared memory search access to the minimum required user set and audit API logs for cross-session query patterns.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS rates this Medium at 6.5, but functional risk in AI agent deployments is materially higher. The missing authorization check is on a network-reachable search path requiring no victim interaction — any authenticated user can exploit it without specialized tooling. Risk escalates in proportion to deployment scale: a single-user isolated instance has low exposure, while a multi-tenant or enterprise-shared OpenClaw instance is a high-value target where the shared memory pool may contain credentials, instructions, and data from many concurrent agent sessions. No KEV listing and no public exploit reduce immediate urgency, but the trivial exploitation bar means post-disclosure weaponization is likely rapid.

How does the attack unfold?

Authentication
Attacker authenticates to OpenClaw using any valid low-privilege credentials — obtained via phishing, credential stuffing, or a compromised internal account.
AML.T0012
Authorization Bypass
Attacker submits a crafted shared memory search request that skips or corrupts the session-scoping visibility guard, triggering the CWE-862 missing authorization flaw on the search path.
AML.T0049
Cross-Session Memory Harvest
OpenClaw returns memory entries from all active sessions; attacker iterates results to collect conversation history, embedded API keys, system prompts, and sensitive reasoning context from other users' agents.
AML.T0080.000
Data Exfiltration
Attacker extracts harvested data — credentials for external services, proprietary agent instructions, or sensitive user data — enabling lateral movement, privilege escalation, or downstream intelligence operations.
AML.T0085

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch immediately: upgrade to OpenClaw >= 2026.4.29.

  2. Until patched, restrict the shared memory search API to admin-only or disable it entirely if operationally feasible.

  3. Audit shared memory contents — identify and rotate any API keys, credentials, or tokens stored in agent memory.

  4. Review application logs for anomalous cross-session patterns: memory search responses containing session IDs that do not match the requesting caller's session.

  5. Apply network-layer controls to limit OpenClaw API access to authorized internal networks and authenticated service accounts only.

  6. After patching, rotate all credentials that may have transited agent memory during the exposure window.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Agent Framework AML.T0036 AML.T0049 AML.T0080.000 AML.T0085

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1.2 - Access control to AI systems and data
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-53844?

OpenClaw, an AI agent framework, contains a session visibility check bypass in its shared memory search that permits any authenticated caller to retrieve memory entries belonging to other sessions. The flaw is network-accessible with low complexity and requires only low privileges, meaning any valid account — including a compromised one — is sufficient to trigger it. While CISA has not added this to KEV and no public exploit code is known, CWE-862 (Missing Authorization) vulnerabilities in AI agent shared memory carry outsized risk: agent memory routinely contains embedded API credentials, proprietary system prompts, and sensitive conversation history from concurrent sessions. Upgrade to OpenClaw 2026.4.29 or later immediately; until patched, restrict shared memory search access to the minimum required user set and audit API logs for cross-session query patterns.

Is CVE-2026-53844 actively exploited?

No confirmed active exploitation of CVE-2026-53844 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53844?

1. Patch immediately: upgrade to OpenClaw >= 2026.4.29. 2. Until patched, restrict the shared memory search API to admin-only or disable it entirely if operationally feasible. 3. Audit shared memory contents — identify and rotate any API keys, credentials, or tokens stored in agent memory. 4. Review application logs for anomalous cross-session patterns: memory search responses containing session IDs that do not match the requesting caller's session. 5. Apply network-layer controls to limit OpenClaw API access to authorized internal networks and authenticated service accounts only. 6. After patching, rotate all credentials that may have transited agent memory during the exposure window.

What systems are affected by CVE-2026-53844?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI agent deployments, shared memory systems for LLM agents, RAG pipelines.

What is the CVSS score for CVE-2026-53844?

CVE-2026-53844 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant AI agent deploymentsshared memory systems for LLM agentsRAG pipelines

MITRE ATLAS Techniques

AML.T0036 Data from Information Repositories
AML.T0049 Exploit Public-Facing Application
AML.T0080.000 Memory
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.

Exploitation Scenario

An attacker with a low-privilege OpenClaw account — or who has compromised one via phishing or credential stuffing — submits a crafted shared memory search request that deliberately omits or corrupts the session-scoping parameter. The search path, lacking proper authorization enforcement per CWE-862, returns memory entries from all active sessions. The attacker iterates paginated results to harvest API keys embedded in other agents' memory by tool configurations, system prompt contents from other teams' agents, and sensitive conversation history from concurrent sessions. In a security operations center where multiple analysts share an OpenClaw instance for AI-assisted threat investigation, this allows a single compromised analyst account to silently exfiltrate other teams' investigation notes, IOCs under embargo, or credentials to external threat intelligence feeds — all without triggering authentication alerts.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 16, 2026

Related Vulnerabilities

CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
Back to Threat Feed