CVE-2026-53856: OpenClaw insecure permissions

CISO Take

OpenClaw, an AI agent framework, fails to enforce restrictive file permissions when restoring OpenClaw.json during config recovery, leaving sensitive agent configuration data readable by all local users on the same host. On shared infrastructure — multi-tenant VMs, development servers, or shared CI/CD runners — any co-located user can read this file and harvest LLM API keys, tool credentials, and full agent configuration without any special privileges. The CVSS 5.5 Medium rating reflects local-only scope with no public exploit and no CISA KEV listing, but the confidentiality impact is rated High specifically because AI agent configs routinely embed LLM provider keys that unlock billable APIs and downstream tool integrations. Teams running OpenClaw on any shared host should upgrade to 2026.4.24 immediately, rotate all API keys stored in existing config files, and restrict OpenClaw.json to owner-only permissions (chmod 600).

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium overall risk, elevated to Medium-High for shared-host deployments. The vulnerability is trivially exploitable by any local user — CVSS AC:L, PR:L — with zero AI or security knowledge required once local access exists. No public exploit or active exploitation evidence further reduces immediate probability, but the High confidentiality impact score reflects the real-world value of what's exposed: LLM provider API keys stored in AI agent configs are high-value secrets that enable financial harm (API cost abuse) and lateral movement to connected services. Risk is LOW for isolated single-user or containerized deployments with proper OS-level separation; MEDIUM-HIGH for shared developer servers, multi-user build agents, and any environment where multiple OS users coexist on the same filesystem.

How does the attack unfold?

Initial Access

Attacker obtains a low-privileged OS user account on a shared host running OpenClaw — such as a shared development server, multi-tenant VM, or CI/CD build agent.

AML.T0012

Permission Exploitation

Config recovery is triggered by a crash, update, or restart, causing OpenClaw to restore OpenClaw.json with overly broad filesystem permissions accessible to all local users (CWE-732).

AML.T0037

Credential Harvest

Attacker reads the permissive OpenClaw.json from its recovery path, extracting embedded LLM API keys, tool credentials, and full agent workflow configuration.

AML.T0083

Impact: API Abuse

Stolen LLM API keys are used to impersonate the agent with LLM providers, enabling unauthorized inference calls, financial cost harvesting, and lateral access to all connected tool integrations.

AML.T0034

Initial Access

Attacker obtains a low-privileged OS user account on a shared host running OpenClaw — such as a shared development server, multi-tenant VM, or CI/CD build agent.

AML.T0012

Permission Exploitation

Config recovery is triggered by a crash, update, or restart, causing OpenClaw to restore OpenClaw.json with overly broad filesystem permissions accessible to all local users (CWE-732).

AML.T0037

Credential Harvest

Attacker reads the permissive OpenClaw.json from its recovery path, extracting embedded LLM API keys, tool credentials, and full agent workflow configuration.

AML.T0083

Impact: API Abuse

Stolen LLM API keys are used to impersonate the agent with LLM providers, enabling unauthorized inference calls, financial cost harvesting, and lateral access to all connected tool integrations.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch: Upgrade OpenClaw to version 2026.4.24 or later.
Immediate: Audit and restrict permissions on all existing OpenClaw.json files — find / -name 'OpenClaw.json' 2>/dev/null -exec chmod 600 {} \; on all affected hosts.
Rotate secrets: Invalidate and regenerate all LLM API keys and tool credentials stored in OpenClaw.json on any host with multiple OS users.
Detection: Configure host-based file integrity monitoring (auditd, Falco, or AIDE) to alert on world-readable or group-readable OpenClaw.json files and on unexpected read access by non-owner UIDs.
Architecture: Isolate AI agent workloads in dedicated containers or VMs per user/service to eliminate the local lateral movement surface entirely.

How is it classified?

Data Extraction Data Leakage Agent AML.T0037 - Data from Local System AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9(2)(b) - Risk management — technical security measures

ISO 42001

A.9.4 - Information security in AI system operation

NIST AI RMF

MANAGE 2.2 - Risk treatments including controls for AI risks

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-53856?

OpenClaw, an AI agent framework, fails to enforce restrictive file permissions when restoring OpenClaw.json during config recovery, leaving sensitive agent configuration data readable by all local users on the same host. On shared infrastructure — multi-tenant VMs, development servers, or shared CI/CD runners — any co-located user can read this file and harvest LLM API keys, tool credentials, and full agent configuration without any special privileges. The CVSS 5.5 Medium rating reflects local-only scope with no public exploit and no CISA KEV listing, but the confidentiality impact is rated High specifically because AI agent configs routinely embed LLM provider keys that unlock billable APIs and downstream tool integrations. Teams running OpenClaw on any shared host should upgrade to 2026.4.24 immediately, rotate all API keys stored in existing config files, and restrict OpenClaw.json to owner-only permissions (chmod 600).

Is CVE-2026-53856 actively exploited?

No confirmed active exploitation of CVE-2026-53856 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53856?

1. Patch: Upgrade OpenClaw to version 2026.4.24 or later. 2. Immediate: Audit and restrict permissions on all existing OpenClaw.json files — `find / -name 'OpenClaw.json' 2>/dev/null -exec chmod 600 {} \;` on all affected hosts. 3. Rotate secrets: Invalidate and regenerate all LLM API keys and tool credentials stored in OpenClaw.json on any host with multiple OS users. 4. Detection: Configure host-based file integrity monitoring (auditd, Falco, or AIDE) to alert on world-readable or group-readable OpenClaw.json files and on unexpected read access by non-owner UIDs. 5. Architecture: Isolate AI agent workloads in dedicated containers or VMs per user/service to eliminate the local lateral movement surface entirely.

What systems are affected by CVE-2026-53856?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, model serving.

What is the CVSS score for CVE-2026-53856?

CVE-2026-53856 has a CVSS v3.1 base score of 5.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksCI/CD pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9(2)(b)

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.

Exploitation Scenario

An attacker with a low-privilege shell account on a shared Linux development server monitors for OpenClaw processes running under other users. When a legitimate user or automated CI script triggers config recovery after a crash or version update, OpenClaw restores OpenClaw.json with permissions 0644 — world-readable. The attacker immediately reads the file from its recovery path, extracting the embedded OpenAI or Anthropic API key. With the harvested key, the attacker makes bulk unauthorized LLM API calls at the victim organization's expense, exfiltrates data from the agent's prior conversation context if stored in config, or modifies the config file (if write permissions are also broad) to inject malicious tool definitions that persist into the legitimate user's next agent session.

Weaknesses (CWE)

CWE-732 Incorrect Permission Assignment for Critical Resource Primary

CWE-732 — Incorrect Permission Assignment for Critical Resource: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

[Implementation] When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.
[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]

Source: MITRE CWE corpus.