CVE-2026-53855: OpenClaw allowlist bypass enables

CISO Take

OpenClaw before 2026.4.2 contains an authorization bypass (CWE-863) combined with incomplete input validation (CWE-184) in its tool allowlist enforcement, allowing any authenticated operator to smuggle inline-eval payloads through shell positional parameters and execute arbitrary shell commands the platform was explicitly designed to prevent. With a CVSS of 8.1, a network-accessible attack vector, low privilege requirement, and zero user interaction needed, every OpenClaw deployment that exposes operator-level access to potentially untrusted users — a common pattern in team-shared or multi-tenant AI agent environments — is at risk of confidentiality and integrity compromise. No public exploit exists yet and the vulnerability is absent from CISA KEV, but the low attack complexity means weaponization is straightforward for any attacker holding valid credentials, making the time-to-exploit window short once the advisory detail circulates. Upgrade immediately to OpenClaw 2026.4.2+; if patching is blocked, restrict operator access to fully-trusted principals and audit shell invocation logs for positional parameter patterns combined with eval constructs.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.1 reflects network accessibility, low attack complexity, low privilege requirement, and high impact on both confidentiality and integrity with no availability impact. The vulnerability directly undermines a security control purpose-built to constrain AI agent tool execution, meaning exploitation leaves no compensating control in place within the affected component. EPSS data is unavailable due to the recent publication date, but the trivial exploitation complexity and authenticated-only requirement suggest rapid weaponization potential once the advisory is widely indexed. No active exploitation or KEV listing reduces immediate urgency slightly, but any organization running OpenClaw should treat this as an emergency patch given the low barrier.

How does the attack unfold?

Credential Access

Attacker acquires valid operator-level credentials for the OpenClaw deployment via phishing, credential stuffing, or insider access.

AML.T0012

Allowlist Evasion

Attacker crafts a tool invocation embedding shell positional parameters carrying inline-eval content inside an allowlisted tool carrier, bypassing OpenClaw's allowlist enforcement.

AML.T0107

Shell Execution

The inline-eval payload executes in the agent process's shell context, running arbitrary commands outside the intended allowlist restrictions.

AML.T0050

Data Exfiltration and Persistence

Attacker exfiltrates credentials, API keys, and sensitive data accessible to the agent, and optionally modifies agent configuration files to establish persistence.

AML.T0053

Credential Access

Attacker acquires valid operator-level credentials for the OpenClaw deployment via phishing, credential stuffing, or insider access.

AML.T0012

Allowlist Evasion

Attacker crafts a tool invocation embedding shell positional parameters carrying inline-eval content inside an allowlisted tool carrier, bypassing OpenClaw's allowlist enforcement.

AML.T0107

Shell Execution

The inline-eval payload executes in the agent process's shell context, running arbitrary commands outside the intended allowlist restrictions.

AML.T0050

Data Exfiltration and Persistence

Attacker exfiltrates credentials, API keys, and sensitive data accessible to the agent, and optionally modifies agent configuration files to establish persistence.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch: upgrade OpenClaw to 2026.4.2 or later — this is the only complete fix.
If patching is delayed, immediately restrict operator-level access to fully-verified, trusted-only principals and revoke any broad operator grants given to external or semi-trusted users.
Enable shell command auditing on OpenClaw hosts and create alerts for executions involving positional parameter expansion ($1, $@, $*, $#) in combination with eval, exec, or subprocess-equivalent constructs.
Review IAM policies and access logs for operator roles to identify any accounts that may already have been used for exploitation since 2026-06-16.
Rotate credentials and API keys accessible from the agent process as a precautionary measure until audit is complete.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15(4) - Cybersecurity resilience

ISO 42001

A.6.2.3 - Security controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms for AI system updates and security maintenance

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53855?

OpenClaw before 2026.4.2 contains an authorization bypass (CWE-863) combined with incomplete input validation (CWE-184) in its tool allowlist enforcement, allowing any authenticated operator to smuggle inline-eval payloads through shell positional parameters and execute arbitrary shell commands the platform was explicitly designed to prevent. With a CVSS of 8.1, a network-accessible attack vector, low privilege requirement, and zero user interaction needed, every OpenClaw deployment that exposes operator-level access to potentially untrusted users — a common pattern in team-shared or multi-tenant AI agent environments — is at risk of confidentiality and integrity compromise. No public exploit exists yet and the vulnerability is absent from CISA KEV, but the low attack complexity means weaponization is straightforward for any attacker holding valid credentials, making the time-to-exploit window short once the advisory detail circulates. Upgrade immediately to OpenClaw 2026.4.2+; if patching is blocked, restrict operator access to fully-trusted principals and audit shell invocation logs for positional parameter patterns combined with eval constructs.

Is CVE-2026-53855 actively exploited?

No confirmed active exploitation of CVE-2026-53855 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53855?

1. Patch: upgrade OpenClaw to 2026.4.2 or later — this is the only complete fix. 2. If patching is delayed, immediately restrict operator-level access to fully-verified, trusted-only principals and revoke any broad operator grants given to external or semi-trusted users. 3. Enable shell command auditing on OpenClaw hosts and create alerts for executions involving positional parameter expansion ($1, $@, $*, $#) in combination with eval, exec, or subprocess-equivalent constructs. 4. Review IAM policies and access logs for operator roles to identify any accounts that may already have been used for exploitation since 2026-06-16. 5. Rotate credentials and API keys accessible from the agent process as a precautionary measure until audit is complete.

What systems are affected by CVE-2026-53855?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-agent orchestration systems, Agent tool execution environments, Shell-enabled AI automation pipelines.

What is the CVSS score for CVE-2026-53855?

CVE-2026-53855 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMulti-agent orchestration systemsAgent tool execution environmentsShell-enabled AI automation pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15(4)

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.

Exploitation Scenario

An attacker with operator-level credentials — obtained via phishing a team member, credential stuffing against the OpenClaw login, or exploiting an insider — crafts a tool invocation request targeting an allowlisted tool. Instead of passing a static argument, the attacker embeds shell positional parameters ($1 or $@) carrying inline-eval content as part of the shell carrier invoked by the allowlisted tool. Because OpenClaw's allowlist enforcement evaluates the base tool identifier without fully expanding positional argument content, the eval payload executes within the agent's shell context. The attacker then uses this execution to read environment variables containing LLM API keys, database credentials, or other secrets the agent holds, exfiltrates them to an external endpoint, and optionally modifies the agent's configuration to maintain persistent access — all while the audit trail shows invocations of a legitimately allowlisted tool.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary CWE-863 Incorrect Authorization Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.