AI Threat Alert

CVE-2026-53852: OpenClaw: scope bypass allows unauthorized device access

MEDIUM
Published June 16, 2026
CISO Take

OpenClaw before 2026.4.25 contains a logic flaw in its device re-pairing flow: authenticated operators can submit re-pairing requests with an empty scope set, causing containment guards to skip enforcement and restoring the device to its previous broader scope. The attack requires only low-privilege credentials over the network with no user interaction — exactly the profile that gets abused by compromised service accounts or malicious insiders in AI agent deployments. While not in CISA KEV and no public exploits are confirmed, the flaw (CWE-636: Not Enough Complexity) is trivially discoverable via API fuzzing, and any AI agent relying on OpenClaw for device-level access control can silently acquire permissions beyond its authorized boundary. Upgrade to OpenClaw 2026.4.25 immediately; as an interim measure, add API-gateway validation rejecting re-pairing requests with null or empty scope payloads, and audit existing device sessions for anomalous scope restoration events.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 5.4) with elevated contextual risk in AI agent deployments. Network-accessible with low attack complexity and low privilege requirements makes this trivially exploitable by any authenticated user including compromised service accounts. The scope containment bypass violates least-privilege enforcement — a foundational control for AI agents operating across device boundaries. No active exploitation evidence, no KEV listing, and no public PoC currently reduce immediate urgency, but the logic flaw pattern is easy to rediscover independently.

How does the attack unfold?

Initial Access
Attacker authenticates to OpenClaw using valid low-privilege operator credentials obtained via phishing, credential stuffing, or insider access.
AML.T0012
Exploitation
Attacker submits a device re-pairing API request with an empty scope set, causing containment guard logic to skip enforcement and accept the request as valid.
AML.T0049
Scope Escalation
The targeted device retains or reverts to its pre-containment broader scope, granting the attacker's session access to device capabilities and data feeds outside the authorized boundary.
AML.T0107
Impact
AI agent operates with expanded unauthorized device permissions, enabling cross-device data harvesting, unauthorized sensor access, or lateral movement across the device namespace.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A None

What should I do?

5 steps

  1. Patch: Upgrade OpenClaw to version 2026.4.25 or later immediately.

  2. Interim workaround: Enforce server-side validation at the API gateway layer to reject any re-pairing request where the scope field is null, empty, or missing — treat absence of scope as a policy violation, not a no-op.

  3. Detection: Query re-pairing API logs for requests with empty/null scope payloads; alert on any device session where scope width increased after a containment event.

  4. Audit: Review active device sessions for anomalous scope assignments that may have been set prior to patching.

  5. Rotate credentials on any service accounts that have access to the re-pairing endpoint as a precaution.

How is it classified?

Auth Bypass Data Extraction Agent API AML.T0012 AML.T0049 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.1.2 - Access control to AI systems
NIST AI RMF
GOVERN 1.2 - Accountability and transparency
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53852?

OpenClaw before 2026.4.25 contains a logic flaw in its device re-pairing flow: authenticated operators can submit re-pairing requests with an empty scope set, causing containment guards to skip enforcement and restoring the device to its previous broader scope. The attack requires only low-privilege credentials over the network with no user interaction — exactly the profile that gets abused by compromised service accounts or malicious insiders in AI agent deployments. While not in CISA KEV and no public exploits are confirmed, the flaw (CWE-636: Not Enough Complexity) is trivially discoverable via API fuzzing, and any AI agent relying on OpenClaw for device-level access control can silently acquire permissions beyond its authorized boundary. Upgrade to OpenClaw 2026.4.25 immediately; as an interim measure, add API-gateway validation rejecting re-pairing requests with null or empty scope payloads, and audit existing device sessions for anomalous scope restoration events.

Is CVE-2026-53852 actively exploited?

No confirmed active exploitation of CVE-2026-53852 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53852?

1. Patch: Upgrade OpenClaw to version 2026.4.25 or later immediately. 2. Interim workaround: Enforce server-side validation at the API gateway layer to reject any re-pairing request where the scope field is null, empty, or missing — treat absence of scope as a policy violation, not a no-op. 3. Detection: Query re-pairing API logs for requests with empty/null scope payloads; alert on any device session where scope width increased after a containment event. 4. Audit: Review active device sessions for anomalous scope assignments that may have been set prior to patching. 5. Rotate credentials on any service accounts that have access to the re-pairing endpoint as a precaution.

What systems are affected by CVE-2026-53852?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, device access control systems, multi-agent orchestration, IoT and device management platforms.

What is the CVSS score for CVE-2026-53852?

CVE-2026-53852 has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksdevice access control systemsmulti-agent orchestrationIoT and device management platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.1.2
NIST AI RMF: GOVERN 1.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.

Exploitation Scenario

An attacker with a compromised low-privilege operator account authenticates to OpenClaw's re-pairing API. Instead of supplying the post-containment reduced scope in the request body, they submit an empty scope set. The containment guard logic — designed to prevent scope expansion — evaluates the empty set and skips enforcement, treating the absent scope as a no-op transition. The device retains or reverts to its pre-containment broader scope. The attacker's AI agent, now operating under the expanded scope, can access devices, sensors, or data feeds that were explicitly excluded by the containment policy, enabling unauthorized lateral movement or data harvesting across the device namespace without triggering scope-change alerts.

Weaknesses (CWE)

CWE-636 Not Failing Securely ('Failing Open') Primary

CWE-636 — Not Failing Securely ('Failing Open'): When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

  • [Architecture and Design] Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 16, 2026

Related Vulnerabilities

CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
Back to Threat Feed