AI Threat Alert

CVE-2026-53848: OpenClaw: exec allowlist bypass via command wrappers

MEDIUM
Published June 16, 2026
CISO Take

OpenClaw, an AI agent framework, contains an incomplete allowlist validation flaw (CWE-184) that lets any authenticated operator with low privileges execute wrapper-level side effects well outside the intended command scope. At CVSS 4.3 with network access and low attack complexity, any legitimate user of the agent platform can abuse transparent command wrappers to trigger unintended operations — effectively defeating the trust boundary the allowlist was designed to enforce. The vulnerability is not currently in CISA KEV, no public exploit code exists, and EPSS data is unavailable, suggesting limited active exploitation at this time. Upgrade to OpenClaw 2026.5.26 or later; if patching is not immediately possible, restrict access to the command API to explicitly trusted principals and audit operator privilege assignments.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk overall, though elevated in agentic AI deployments where the allowlist is a primary security control boundary. The CVSS 4.3 reflects limited integrity impact and unchanged scope, but the low complexity and operator-level (not admin-level) requirement are concerning in environments with many service accounts or delegated operator roles. AI agent frameworks are increasingly used in automated pipelines where a single allowlist bypass can chain into downstream unintended tool calls or lateral actions. The absence of EPSS data and no KEV listing indicates this is newly disclosed with no observed in-the-wild exploitation.

How does the attack unfold?

Initial Access
Attacker authenticates to the OpenClaw deployment using low-privilege operator credentials, gaining legitimate API access to submit command requests.
AML.T0012
Allowlist Bypass
Attacker crafts a command request embedding unintended operations inside a transparent command wrapper, which the allowlist validator passes because it only inspects declared command intent.
AML.T0107
Unintended Execution
OpenClaw executes the wrapper-level side effects outside the allowlisted command scope, invoking operations the operator is not authorized to trigger directly.
AML.T0053
Impact
Unintended operations produce integrity violations — unauthorized writes, unapproved agent tool calls, or interactions with downstream services connected to the agent pipeline.
AML.T0048

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

6 steps

  1. Patch immediately: upgrade OpenClaw to version 2026.5.26 or later per the vendor advisory.

  2. If patching is not immediately possible, restrict network access to the OpenClaw command API to explicitly trusted operators and IP ranges at the network layer.

  3. Audit all operator accounts — revoke or restrict any accounts with low-privilege access that do not require command submission rights.

  4. Review command wrapper configurations and execution logs for anomalous patterns that may indicate prior exploitation.

  5. Enable structured logging on all command requests and alert on operations falling outside expected command patterns.

  6. Review the GitHub security advisory GHSA-cwpp-5962-q4f6 and VulnCheck advisory for additional vendor guidance and indicators.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0049 AML.T0053 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1 - AI system design and security controls
NIST AI RMF
MANAGE 2.2 - Mechanisms to prevent unintended AI behavior
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53848?

OpenClaw, an AI agent framework, contains an incomplete allowlist validation flaw (CWE-184) that lets any authenticated operator with low privileges execute wrapper-level side effects well outside the intended command scope. At CVSS 4.3 with network access and low attack complexity, any legitimate user of the agent platform can abuse transparent command wrappers to trigger unintended operations — effectively defeating the trust boundary the allowlist was designed to enforce. The vulnerability is not currently in CISA KEV, no public exploit code exists, and EPSS data is unavailable, suggesting limited active exploitation at this time. Upgrade to OpenClaw 2026.5.26 or later; if patching is not immediately possible, restrict access to the command API to explicitly trusted principals and audit operator privilege assignments.

Is CVE-2026-53848 actively exploited?

No confirmed active exploitation of CVE-2026-53848 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53848?

1. Patch immediately: upgrade OpenClaw to version 2026.5.26 or later per the vendor advisory. 2. If patching is not immediately possible, restrict network access to the OpenClaw command API to explicitly trusted operators and IP ranges at the network layer. 3. Audit all operator accounts — revoke or restrict any accounts with low-privilege access that do not require command submission rights. 4. Review command wrapper configurations and execution logs for anomalous patterns that may indicate prior exploitation. 5. Enable structured logging on all command requests and alert on operations falling outside expected command patterns. 6. Review the GitHub security advisory GHSA-cwpp-5962-q4f6 and VulnCheck advisory for additional vendor guidance and indicators.

What systems are affected by CVE-2026-53848?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, automated task pipelines, multi-agent orchestration, human-in-the-loop agent systems.

What is the CVSS score for CVE-2026-53848?

CVE-2026-53848 has a CVSS v3.1 base score of 4.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksautomated task pipelinesmulti-agent orchestrationhuman-in-the-loop agent systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.

Exploitation Scenario

An authenticated operator — such as a junior analyst, read-only service account, or compromised credential — submits a crafted command request to an OpenClaw-based agent deployment. By embedding a transparent command wrapper around the intended command, the operator includes side-effect operations that bypass the allowlist validator, which only inspects the declared command intent rather than the full wrapper execution path. OpenClaw processes the request and executes the wrapper-level side effects — such as writing to restricted paths, calling unapproved agent tools, or invoking downstream services — that the operator would not normally be authorized to trigger directly. Because the outer command is allowlisted, no alert is raised.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

  • [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 16, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
Back to Threat Feed