CVE-2026-53847: OpenClaw privilege escalation

CISO Take

OpenClaw before 2026.5.6 allows Gateway operators with operator.write credentials to modify global agent configurations that should require operator.admin privileges, due to insufficient scope validation in the Active Memory write path. For teams running AI agent infrastructure, this means any compromised or malicious operator-level account can tamper with system-wide configuration controlling all agents managed by the Gateway — silently altering memory policies, tool permissions, or routing rules at fleet scale. While CVSS scores this at medium (5.4) with no confirmed active exploitation and no CISA KEV entry, the low attack complexity (AC:L) and low privilege requirement (PR:L) make this a credible insider threat and post-compromise escalation vector requiring no user interaction once credentials are obtained. Patch to 2026.5.6 immediately; if patching is blocked, audit all operator.write account assignments and enable alerting on global configuration changes.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk by CVSS (5.4), elevated in AI agent environments where global configuration governs agent behavior at scale. Attack complexity is low and privilege requirement is low — any account with operator.write access, whether compromised externally or abused by an insider, can exploit this without user interaction. No public exploit and no KEV classification reduce immediate urgency, but the network-accessible vector (AV:N) combined with zero required user interaction (UI:N) means exploitation requires minimal effort once credentials are in hand. Primary risk is unauthorized modification of agent memory scope policies, tool permission sets, or routing rules affecting all downstream agent operations, with integrity and availability impacts rated low individually but potentially high in aggregate across a managed agent fleet.

How does the attack unfold?

Initial Access

Attacker obtains operator.write credentials for the OpenClaw Gateway via credential theft, phishing a Gateway operator, or compromising a CI/CD service account.

AML.T0012

Scope Bypass

Attacker crafts an API request to the Active Memory write endpoint specifying a global configuration parameter, exploiting insufficient scope validation to bypass the operator.admin privilege requirement.

AML.T0049

Configuration Modification

Unauthorized global configuration changes are applied to the Gateway — modifying agent memory scope policies, tool permission sets, or routing rules — affecting all agents under management.

AML.T0081

Persistent Impact

Modified configuration persists across all subsequent agent sessions, silently altering fleet-wide agent behavior and potentially establishing backdoor conditions in autonomous workflows without triggering admin-level audit events.

AML.T0080.000

Initial Access

Attacker obtains operator.write credentials for the OpenClaw Gateway via credential theft, phishing a Gateway operator, or compromising a CI/CD service account.

AML.T0012

Scope Bypass

Attacker crafts an API request to the Active Memory write endpoint specifying a global configuration parameter, exploiting insufficient scope validation to bypass the operator.admin privilege requirement.

AML.T0049

Configuration Modification

Unauthorized global configuration changes are applied to the Gateway — modifying agent memory scope policies, tool permission sets, or routing rules — affecting all agents under management.

AML.T0081

Persistent Impact

Modified configuration persists across all subsequent agent sessions, silently altering fleet-wide agent behavior and potentially establishing backdoor conditions in autonomous workflows without triggering admin-level audit events.

AML.T0080.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A Low

What should I do?

5 steps

Upgrade OpenClaw to version 2026.5.6 or later immediately — the fix enforces strict scope validation on all Active Memory write operations against the admin privilege boundary.
Audit all accounts holding operator.write access; revoke any unnecessary assignments and enforce least-privilege separation between write and admin roles.
Enable and centralize configuration change audit logs from the OpenClaw Gateway; alert on any global configuration modifications not originating from verified operator.admin accounts.
Review current global configuration state for unauthorized changes applied before patching — compare against known-good baseline if one exists.
Restrict Gateway API access to trusted management networks or dedicated operator workstations via network-level controls to reduce the attack surface for credential-based exploitation.

How is it classified?

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0080.000 - Memory AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - Privileged access management

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53847?

OpenClaw before 2026.5.6 allows Gateway operators with operator.write credentials to modify global agent configurations that should require operator.admin privileges, due to insufficient scope validation in the Active Memory write path. For teams running AI agent infrastructure, this means any compromised or malicious operator-level account can tamper with system-wide configuration controlling all agents managed by the Gateway — silently altering memory policies, tool permissions, or routing rules at fleet scale. While CVSS scores this at medium (5.4) with no confirmed active exploitation and no CISA KEV entry, the low attack complexity (AC:L) and low privilege requirement (PR:L) make this a credible insider threat and post-compromise escalation vector requiring no user interaction once credentials are obtained. Patch to 2026.5.6 immediately; if patching is blocked, audit all operator.write account assignments and enable alerting on global configuration changes.

Is CVE-2026-53847 actively exploited?

No confirmed active exploitation of CVE-2026-53847 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53847?

1. Upgrade OpenClaw to version 2026.5.6 or later immediately — the fix enforces strict scope validation on all Active Memory write operations against the admin privilege boundary. 2. Audit all accounts holding operator.write access; revoke any unnecessary assignments and enforce least-privilege separation between write and admin roles. 3. Enable and centralize configuration change audit logs from the OpenClaw Gateway; alert on any global configuration modifications not originating from verified operator.admin accounts. 4. Review current global configuration state for unauthorized changes applied before patching — compare against known-good baseline if one exists. 5. Restrict Gateway API access to trusted management networks or dedicated operator workstations via network-level controls to reduce the attack surface for credential-based exploitation.

What systems are affected by CVE-2026-53847?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, agent orchestration platforms, multi-agent systems.

What is the CVSS score for CVE-2026-53847?

CVE-2026-53847 has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksagent orchestration platformsmulti-agent systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0080.000 Memory

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.

Exploitation Scenario

An attacker who has obtained operator.write credentials — via phishing a Gateway operator, credential stuffing against an exposed portal, or compromising a CI/CD service account with operator-level access — authenticates to the OpenClaw Gateway API. They craft an API request targeting the Active Memory write endpoint, specifying a global configuration parameter (such as the default tool permission set or the memory retention window) normally gated behind operator.admin. The Gateway's insufficient scope validation accepts the request as a valid write-scope operation and applies the global configuration change without escalating a privilege check. The modification persists across all subsequent agent sessions, silently altering agent behavior fleet-wide — for example, expanding tool invocation permissions for all agents — without generating admin-tier audit events, and may go undetected until behavioral anomalies surface in downstream outputs or a configuration audit is performed.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.