CVE-2026-53850: OpenClaw auth bypass

CISO Take

OpenClaw before 2026.4.25 contains a missing authorization flaw (CWE-862) in its focus command, allowing any authenticated caller with low local privileges to invoke the command outside their permitted scope and manipulate agent focus state without proper checks. The high integrity impact (CVSS I:H, score 5.5) is a real concern for teams running OpenClaw in shared or multi-tenant AI agent environments where privilege separation between callers is a security boundary, since unauthorized focus changes can redirect which tasks, data sources, or operations an agent processes downstream. No public exploit exists and the vulnerability is not in CISA KEV, but the low attack complexity and zero user-interaction requirement mean any insider or compromised low-privilege service account can exploit it trivially once inside the environment. Patch to OpenClaw 2026.4.25 or later immediately; as a short-term measure, enforce strict gateway configuration to restrict which authenticated callers can invoke focus commands and review all input trust level settings on agent-facing interfaces.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium overall risk, but elevated in multi-tenant or shared AI agent deployments where caller privilege separation is a security boundary. CVSS 5.5 reflects the local access requirement, which limits remote exploitation; however, the combination of low attack complexity, no user interaction required, and high integrity impact means exploitation is trivial once an attacker has any local foothold or compromised low-privilege account. The absence of confidentiality and availability impact bounds the blast radius. No EPSS data, no KEV listing, and no public exploit lower immediate urgency, but the attack vector fits typical insider threat and lateral movement scenarios in AI infrastructure.

How does the attack unfold?

Initial Access

Attacker authenticates to the OpenClaw agent system using a valid low-privilege local account or compromised service account.

AML.T0012

Authorization Bypass

Attacker invokes the focus command directly, exploiting the missing authorization check (CWE-862) to execute outside their permitted caller scope without triggering enforcement.

AML.T0053

Agent State Manipulation

Focus state is modified beyond the attacker's intended authority, redirecting the AI agent's operational target, task context, or data processing scope.

AML.T0081

Impact

Downstream agent operations execute under the manipulated focus context, potentially enabling unauthorized data access, pipeline redirection, or policy-violating agentic actions.

AML.T0048

Initial Access

Attacker authenticates to the OpenClaw agent system using a valid low-privilege local account or compromised service account.

AML.T0012

Authorization Bypass

Attacker invokes the focus command directly, exploiting the missing authorization check (CWE-862) to execute outside their permitted caller scope without triggering enforcement.

AML.T0053

Agent State Manipulation

Focus state is modified beyond the attacker's intended authority, redirecting the AI agent's operational target, task context, or data processing scope.

AML.T0081

Impact

Downstream agent operations execute under the manipulated focus context, potentially enabling unauthorized data access, pipeline redirection, or policy-violating agentic actions.

AML.T0048

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I High

A None

What should I do?

5 steps

Patch: Upgrade OpenClaw to version 2026.4.25 or later, which enforces proper authorization on the focus command.
Gateway hardening: Audit gateway configurations to enforce minimum input trust levels; restrict which authenticated callers are permitted to invoke focus-related commands at the gateway layer.
Least-privilege: Ensure all OpenClaw service accounts and API clients hold only the minimum permissions required; revoke any broad caller access not justified by business need.
Detection: Monitor audit logs for focus command invocations from low-privilege accounts or outside defined caller workflows; alert on focus state changes originating from non-standard or unexpected callers.
Network segmentation: Confirm the OpenClaw agent runtime is not exposed beyond the local environment or a strictly controlled internal network segment.

How is it classified?

Auth Bypass Agent Framework AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.1 - Access control policy

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for organizational accountability and AI risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53850?

OpenClaw before 2026.4.25 contains a missing authorization flaw (CWE-862) in its focus command, allowing any authenticated caller with low local privileges to invoke the command outside their permitted scope and manipulate agent focus state without proper checks. The high integrity impact (CVSS I:H, score 5.5) is a real concern for teams running OpenClaw in shared or multi-tenant AI agent environments where privilege separation between callers is a security boundary, since unauthorized focus changes can redirect which tasks, data sources, or operations an agent processes downstream. No public exploit exists and the vulnerability is not in CISA KEV, but the low attack complexity and zero user-interaction requirement mean any insider or compromised low-privilege service account can exploit it trivially once inside the environment. Patch to OpenClaw 2026.4.25 or later immediately; as a short-term measure, enforce strict gateway configuration to restrict which authenticated callers can invoke focus commands and review all input trust level settings on agent-facing interfaces.

Is CVE-2026-53850 actively exploited?

No confirmed active exploitation of CVE-2026-53850 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53850?

1. Patch: Upgrade OpenClaw to version 2026.4.25 or later, which enforces proper authorization on the focus command. 2. Gateway hardening: Audit gateway configurations to enforce minimum input trust levels; restrict which authenticated callers are permitted to invoke focus-related commands at the gateway layer. 3. Least-privilege: Ensure all OpenClaw service accounts and API clients hold only the minimum permissions required; revoke any broad caller access not justified by business need. 4. Detection: Monitor audit logs for focus command invocations from low-privilege accounts or outside defined caller workflows; alert on focus state changes originating from non-standard or unexpected callers. 5. Network segmentation: Confirm the OpenClaw agent runtime is not exposed beyond the local environment or a strictly controlled internal network segment.

What systems are affected by CVE-2026-53850?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration pipelines, AI gateway deployments.

What is the CVSS score for CVE-2026-53850?

CVE-2026-53850 has a CVSS v3.1 base score of 5.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestration pipelinesAI gateway deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.1

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.

Exploitation Scenario

An attacker with a compromised low-privilege developer account or service account in an organization's AI agent infrastructure identifies that OpenClaw is running locally. They call the focus command API endpoint directly, exploiting the missing authorization check to bypass caller scope enforcement. By manipulating the agent's focus state, the attacker redirects the AI agent's operational target — for example, switching its processing context to handle attacker-controlled data or pivoting the agent's task focus to exfiltrate sensitive outputs from another workflow running in the same environment. If the gateway configuration trusts focus state changes at the command level without secondary validation, subsequent agent actions execute under the manipulated context without triggering anomaly alerts, effectively enabling unauthorized lateral movement within the AI pipeline.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.