CVE-2026-53854: OpenClaw privilege escalation

CISO Take

OpenClaw before version 2026.4.25 allows any low-privileged authenticated user to inherit the wildcard ownerAllowFrom authorization state from one channel and execute owner-level commands across unintended channel boundaries, effectively bypassing access controls in the agent framework. This is a network-accessible, low-complexity flaw (AC:L, PR:L, UI:N) — conditions that make opportunistic abuse realistic even without a public exploit or KEV listing, as exploitation requires no specialized knowledge and no user interaction. The integrity impact is rated HIGH, meaning an attacker can modify agent behavior and issue privileged commands without triggering standard authorization denials. Patch immediately to 2026.4.25 or later and audit all channel ownerAllowFrom configurations for unexpected wildcard settings.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium CVSS (6.5) but operationally elevated in AI agent deployments. The low attack complexity and low privilege requirement mean any authenticated user can attempt exploitation — no specialized tooling or ML knowledge required. No public exploit or KEV listing currently, and EPSS data is unavailable for this newly published CVE. However, the vulnerability class (CWE-863 Incorrect Authorization) is well-understood and the exploitation pattern is straightforward. Environments where OpenClaw agents have privileged tool access, execute downstream system actions, or operate in multi-tenant architectures face amplified business impact beyond the CVSS score.

How does the attack unfold?

Initial Access

Attacker obtains or uses a low-privileged authenticated account on an OpenClaw instance with internal or webchat command paths exposed.

AML.T0012

Exploitation

Attacker sends crafted commands through the affected webchat or internal command path, triggering wildcard ownerAllowFrom state inheritance across channel boundaries.

AML.T0049

Privilege Escalation

Attacker's session inherits owner-level authorization state, enabling execution of owner-style commands on channels entirely outside their authorized scope.

AML.T0053

Impact

Attacker executes privileged AI agent actions — tool invocations, configuration modifications, or downstream system commands — that exceed their originally authorized permission level.

AML.T0048

Initial Access

Attacker obtains or uses a low-privileged authenticated account on an OpenClaw instance with internal or webchat command paths exposed.

AML.T0012

Exploitation

Attacker sends crafted commands through the affected webchat or internal command path, triggering wildcard ownerAllowFrom state inheritance across channel boundaries.

AML.T0049

Privilege Escalation

Attacker's session inherits owner-level authorization state, enabling execution of owner-style commands on channels entirely outside their authorized scope.

AML.T0053

Impact

Attacker executes privileged AI agent actions — tool invocations, configuration modifications, or downstream system commands — that exceed their originally authorized permission level.

AML.T0048

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A None

What should I do?

5 steps

Patch OpenClaw to version 2026.4.25 or later immediately — this is the primary remediation.
Audit all channel configurations for wildcard ownerAllowFrom settings and replace wildcards with explicit, scoped allowlists where possible.
Review command execution logs across all channels for anomalous cross-channel owner-level commands issued from non-owner accounts.
Apply principle of least privilege to internal and webchat command path configurations.
If patching is delayed, isolate internal command interfaces from general user access and block cross-channel command routing at the network or application gateway layer.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2 - AI System Lifecycle — Operation

NIST AI RMF

GOVERN-6.1 - Policies and procedures are in place for AI risk management

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53854?

OpenClaw before version 2026.4.25 allows any low-privileged authenticated user to inherit the wildcard ownerAllowFrom authorization state from one channel and execute owner-level commands across unintended channel boundaries, effectively bypassing access controls in the agent framework. This is a network-accessible, low-complexity flaw (AC:L, PR:L, UI:N) — conditions that make opportunistic abuse realistic even without a public exploit or KEV listing, as exploitation requires no specialized knowledge and no user interaction. The integrity impact is rated HIGH, meaning an attacker can modify agent behavior and issue privileged commands without triggering standard authorization denials. Patch immediately to 2026.4.25 or later and audit all channel ownerAllowFrom configurations for unexpected wildcard settings.

Is CVE-2026-53854 actively exploited?

No confirmed active exploitation of CVE-2026-53854 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53854?

1. Patch OpenClaw to version 2026.4.25 or later immediately — this is the primary remediation. 2. Audit all channel configurations for wildcard ownerAllowFrom settings and replace wildcards with explicit, scoped allowlists where possible. 3. Review command execution logs across all channels for anomalous cross-channel owner-level commands issued from non-owner accounts. 4. Apply principle of least privilege to internal and webchat command path configurations. 5. If patching is delayed, isolate internal command interfaces from general user access and block cross-channel command routing at the network or application gateway layer.

What systems are affected by CVE-2026-53854?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-channel AI agents, AI chat interfaces.

What is the CVSS score for CVE-2026-53854?

CVE-2026-53854 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-channel AI agentsAI chat interfaces

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: GOVERN-6.1

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.

Exploitation Scenario

An attacker with a low-privileged OpenClaw account — such as a standard webchat user or internal channel participant — identifies a channel with a wildcard ownerAllowFrom configuration. By sending crafted commands through the affected webchat or internal command path, the attacker's session inherits the wildcard owner authorization state, allowing them to issue owner-style commands on channels entirely outside their authorized scope. In an AI agent deployment, this translates to triggering privileged tool calls, modifying agent memory or operational context, or executing actions with elevated downstream system access that was explicitly denied to the attacker's account.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.