CVE-2026-53853: OpenClaw exec allowlist bypass

CISO Take

OpenClaw's exec allowlist argPattern validation can be circumvented by directly invoking allowlisted executables with arbitrary arguments, granting a low-privileged attacker effective command execution without restriction on Linux and macOS. With a CVSS of 8.3 (High), low attack complexity, and no user interaction required, any AI agent deployment relying on OpenClaw's argPattern restrictions as a security boundary should treat those controls as failed. No public exploit or active KEV listing exists yet, but the bypass technique is conceptually straightforward—argPattern is enforced in software rather than at the OS level, making it trivially circumventable once identified. Upgrade to OpenClaw 2026.5.12 or later immediately; as a temporary measure, disable exec tool access entirely in agent configurations or apply OS-level sandboxing (seccomp, AppArmor) as a compensating control.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

HIGH. CVSS 8.3 reflects high confidentiality and integrity impact achievable by a low-privileged attacker with no user interaction over a network. The vulnerability is particularly dangerous in AI agent deployments where argPattern restrictions are the primary guardrail against unrestricted command execution—once the bypass is known, the entire security model of the exec allowlist collapses. Environments where OpenClaw agents have broad filesystem or network tool access amplify blast radius significantly. The absence of a public exploit slightly reduces immediate urgency, but the low-complexity nature means weaponization time is short.

How does the attack unfold?

Initial Access

Attacker obtains low-privilege access to a system or API endpoint running an OpenClaw-powered AI agent via valid credentials or a compromised user account.

AML.T0049

Discovery

Attacker enumerates the exec allowlist to identify allowlisted executables and their argPattern restrictions to select a target executable.

AML.T0084.001

Defense Evasion

Attacker directly invokes an allowlisted executable with unrestricted arguments, bypassing OpenClaw's argPattern validation logic entirely.

AML.T0107

Impact

Attacker achieves unauthorized file access, outbound network exfiltration, or arbitrary command execution on the host system beyond the agent's intended scope.

AML.T0053

Initial Access

Attacker obtains low-privilege access to a system or API endpoint running an OpenClaw-powered AI agent via valid credentials or a compromised user account.

AML.T0049

Discovery

Attacker enumerates the exec allowlist to identify allowlisted executables and their argPattern restrictions to select a target executable.

AML.T0084.001

Defense Evasion

Attacker directly invokes an allowlisted executable with unrestricted arguments, bypassing OpenClaw's argPattern validation logic entirely.

AML.T0107

Impact

Attacker achieves unauthorized file access, outbound network exfiltration, or arbitrary command execution on the host system beyond the agent's intended scope.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

6 steps

Patch immediately: upgrade OpenClaw to version 2026.5.12 or later per the GHSA advisory.
If patching is not immediately feasible, disable exec tool access entirely in all agent configurations as an emergency workaround.
Audit existing argPattern configurations to document which executables are allowlisted and what risk their unrestricted invocation would pose.
Review agent execution logs for anomalous or unexpectedly broad argument patterns on allowlisted executables.
Apply network segmentation to restrict what AI agent processes can reach outbound.
Implement OS-level sandboxing (seccomp profiles, AppArmor policies, or container restrictions) as defense-in-depth independent of application-layer allowlist logic.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0084.001 - Tool Definitions AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system technical security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment-time risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53853?

OpenClaw's exec allowlist argPattern validation can be circumvented by directly invoking allowlisted executables with arbitrary arguments, granting a low-privileged attacker effective command execution without restriction on Linux and macOS. With a CVSS of 8.3 (High), low attack complexity, and no user interaction required, any AI agent deployment relying on OpenClaw's argPattern restrictions as a security boundary should treat those controls as failed. No public exploit or active KEV listing exists yet, but the bypass technique is conceptually straightforward—argPattern is enforced in software rather than at the OS level, making it trivially circumventable once identified. Upgrade to OpenClaw 2026.5.12 or later immediately; as a temporary measure, disable exec tool access entirely in agent configurations or apply OS-level sandboxing (seccomp, AppArmor) as a compensating control.

Is CVE-2026-53853 actively exploited?

No confirmed active exploitation of CVE-2026-53853 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53853?

1. Patch immediately: upgrade OpenClaw to version 2026.5.12 or later per the GHSA advisory. 2. If patching is not immediately feasible, disable exec tool access entirely in all agent configurations as an emergency workaround. 3. Audit existing argPattern configurations to document which executables are allowlisted and what risk their unrestricted invocation would pose. 4. Review agent execution logs for anomalous or unexpectedly broad argument patterns on allowlisted executables. 5. Apply network segmentation to restrict what AI agent processes can reach outbound. 6. Implement OS-level sandboxing (seccomp profiles, AppArmor policies, or container restrictions) as defense-in-depth independent of application-layer allowlist logic.

What systems are affected by CVE-2026-53853?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI coding assistants, agentic automation pipelines, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-53853?

CVE-2026-53853 has a CVSS v3.1 base score of 8.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI coding assistantsagentic automation pipelinesmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0084.001 Tool Definitions

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.

Exploitation Scenario

An attacker with low-privilege API access to an OpenClaw-powered AI agent identifies that curl is on the exec allowlist with an argPattern restriction limiting it to safe GET requests against internal endpoints. The attacker directly invokes curl bypassing the argPattern validation check, using it to POST sensitive files from the host filesystem to an attacker-controlled server. Alternatively, the attacker invokes an allowlisted python executable with -c to run an arbitrary reverse shell payload, gaining interactive host access. Because argPattern enforcement is in OpenClaw's application logic rather than enforced by the OS kernel, the restriction is bypassed purely in userspace without any privilege escalation required beyond the initial low-privilege agent access.

Weaknesses (CWE)

CWE-693 Protection Mechanism Failure Primary CWE-863 Incorrect Authorization Primary

CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Source: MITRE CWE corpus.