CVE-2026-53845: OpenClaw hook bypass enables

CISO Take

OpenClaw before 2026.5.6 contains a flaw in its skill command dispatch path that causes before-tool-call hooks to be silently skipped, allowing any authenticated low-privilege user to invoke agent tools outside the normal policy and audit enforcement chain. For security teams, this is meaningful because hooks are the primary extension point for enforcing access controls, logging, rate limiting, and content filtering in agent frameworks — their silent bypass means those controls offer no actual protection for commands routed through the vulnerable path. The CVE carries a CVSS of 4.3 Medium, is not in CISA KEV, carries no public exploit, and EPSS data is not yet available, so immediate mass exploitation is unlikely but insider threat and privilege-escalation-adjacent abuse are realistic given the low bar to exploit. The fix is straightforward: upgrade to OpenClaw 2026.5.6 or later; if patching is blocked, audit all code paths that dispatch skill commands and add compensating controls (server-side logging, network-level monitoring) that do not rely on the before-tool-call hook chain.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium exploitability with low privileges and no user interaction required over the network makes this accessible to any authenticated user. The integrity impact is limited (I:L) but the policy bypass dimension is more consequential than the raw CVSS suggests: in agentic architectures, hooks are often the only enforcement layer between the LLM's decisions and downstream tool execution, so bypassing them can have cascading effects including unlogged data access, unenforced rate limits, or silently disabled content filters. Risk is elevated in deployments where the before-tool-call hook carries compliance-critical controls (ISO 42001 audit logging, EU AI Act transparency requirements). Not critical absent active exploitation, but warrants prompt patching in any regulated or multi-tenant deployment.

How does the attack unfold?

Initial Access

Attacker authenticates to an OpenClaw deployment with any low-privilege account, such as a free-tier or guest user credential.

AML.T0012

Discovery

Attacker identifies the vulnerable skill command dispatch path by inspecting API documentation, source code, or network traffic, confirming it skips before-tool-call hook execution.

AML.T0084

Defense Evasion

Attacker routes skill commands through the vulnerable dispatch path, causing all registered before-tool-call hooks (audit logging, access control, content filtering) to be silently bypassed.

AML.T0107

Impact

Attacker executes privileged agent tools (database queries, file exports, external API calls) outside the enforced policy boundary with no audit trail generated, enabling unauthorized data access or policy-violating actions.

AML.T0053

Initial Access

Attacker authenticates to an OpenClaw deployment with any low-privilege account, such as a free-tier or guest user credential.

AML.T0012

Discovery

Attacker identifies the vulnerable skill command dispatch path by inspecting API documentation, source code, or network traffic, confirming it skips before-tool-call hook execution.

AML.T0084

Defense Evasion

Attacker routes skill commands through the vulnerable dispatch path, causing all registered before-tool-call hooks (audit logging, access control, content filtering) to be silently bypassed.

AML.T0107

Impact

Attacker executes privileged agent tools (database queries, file exports, external API calls) outside the enforced policy boundary with no audit trail generated, enabling unauthorized data access or policy-violating actions.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A None

What should I do?

6 steps

Patch immediately: upgrade to OpenClaw 2026.5.6 or later — this is the only complete fix.
If patching is blocked, identify all code paths that call the affected dispatch function and add server-side pre-execution checks outside the hook chain.
Enable network-level or database-level audit logging as a compensating control that cannot be bypassed by the application layer.
Review audit logs for skill invocations that lack a corresponding hook-execution trace — this pattern indicates exploitation of the bypass.
In regulated environments, document the compensating controls for ISO 42001 or EU AI Act audit purposes until the patch is applied.
Pin the dependency version in CI/CD to block any accidental downgrade.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 12 - Record-keeping and logging

ISO 42001

A.6.2.6 - Logging and monitoring of AI system operation

NIST AI RMF

GOVERN 1.2 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53845?

OpenClaw before 2026.5.6 contains a flaw in its skill command dispatch path that causes before-tool-call hooks to be silently skipped, allowing any authenticated low-privilege user to invoke agent tools outside the normal policy and audit enforcement chain. For security teams, this is meaningful because hooks are the primary extension point for enforcing access controls, logging, rate limiting, and content filtering in agent frameworks — their silent bypass means those controls offer no actual protection for commands routed through the vulnerable path. The CVE carries a CVSS of 4.3 Medium, is not in CISA KEV, carries no public exploit, and EPSS data is not yet available, so immediate mass exploitation is unlikely but insider threat and privilege-escalation-adjacent abuse are realistic given the low bar to exploit. The fix is straightforward: upgrade to OpenClaw 2026.5.6 or later; if patching is blocked, audit all code paths that dispatch skill commands and add compensating controls (server-side logging, network-level monitoring) that do not rely on the before-tool-call hook chain.

Is CVE-2026-53845 actively exploited?

No confirmed active exploitation of CVE-2026-53845 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53845?

1. Patch immediately: upgrade to OpenClaw 2026.5.6 or later — this is the only complete fix. 2. If patching is blocked, identify all code paths that call the affected dispatch function and add server-side pre-execution checks outside the hook chain. 3. Enable network-level or database-level audit logging as a compensating control that cannot be bypassed by the application layer. 4. Review audit logs for skill invocations that lack a corresponding hook-execution trace — this pattern indicates exploitation of the bypass. 5. In regulated environments, document the compensating controls for ISO 42001 or EU AI Act audit purposes until the patch is applied. 6. Pin the dependency version in CI/CD to block any accidental downgrade.

What systems are affected by CVE-2026-53845?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, multi-tenant AI platforms, tool-augmented LLM deployments.

What is the CVSS score for CVE-2026-53845?

CVE-2026-53845 has a CVSS v3.1 base score of 4.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelinesmulti-tenant AI platformstool-augmented LLM deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 12

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.

Exploitation Scenario

An attacker with a valid low-privilege account (e.g., a free-tier user on a SaaS platform built on OpenClaw) reverse-engineers the API and identifies that skill commands sent through the affected dispatch endpoint bypass the before-tool-call hook. They craft requests targeting this path to invoke high-privilege agent tools — such as a database query tool or a file export tool — that would normally be blocked or logged by the hook-based access control layer. The invocations succeed silently with no audit record generated, allowing the attacker to exfiltrate data or perform unauthorized actions that appear absent from audit trails, potentially evading both real-time detection and post-incident forensics.

Weaknesses (CWE)

CWE-693 Protection Mechanism Failure Primary

CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Source: MITRE CWE corpus.