CVE-2026-53861: OpenClaw allowlist bypass enables

CISO Take

OpenClaw before 2026.5.6 contains an allowlist bypass in its macOS Swift exec feature that fails to recognize combined POSIX inline-command flags (e.g., '-rf' instead of '-r -f'), allowing shell commands outside the operator-configured allowlist to execute with the process's current privileges. For AI agent deployments where OpenClaw's command allowlist is the primary control boundary between the agent and the host OS, this represents a meaningful integrity risk — a low-privileged local user who can trigger user interaction can circumvent the intended command restrictions entirely, with high confidentiality and integrity impact (C:H/I:H). No public exploit exists and the vulnerability is not listed in CISA KEV, reducing immediate urgency, but agentic systems that depend on allowlist enforcement as their sandboxing model are directly exposed to this class of bypass. Operators should upgrade to OpenClaw 2026.5.6 or later immediately and audit existing allowlist configurations to verify that combined POSIX flag forms are accounted for in their access control policies.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk overall, elevated in AI agent contexts. The local attack vector (AV:L) and user interaction requirement (UI:R) limit opportunistic exploitation, but the low privilege requirement (PR:L) and low attack complexity (AC:L) mean that any local user with basic access can exploit this with minimal effort. In AI agent deployments on macOS, the required 'user interaction' may be as simple as the agent itself invoking a tool or processing a prompt — effectively lowering the practical bar for exploitation. High confidentiality and integrity impact with no public exploit or KEV listing places this in the 'monitor and patch promptly' tier rather than emergency response for most organizations, but teams relying on OpenClaw's allowlist as a primary security boundary should treat this with elevated urgency.

How does the attack unfold?

Initial Access

Attacker obtains low-privileged local access to a macOS host running an OpenClaw-based AI agent deployment, sufficient to interact with the agent or trigger its exec feature.

AML.T0012

Allowlist Bypass

Attacker crafts shell commands using combined POSIX inline flags (e.g., '-rf' instead of '-r -f') that are not recognized by OpenClaw's Swift exec allowlist checker, evading the intended command restrictions.

AML.T0107

Unauthorized Execution

When a user triggers the AI agent's exec feature (or the agent invokes it as part of a tool chain), OpenClaw executes the crafted command outside the allowlist boundary with the process's current privileges.

AML.T0053

Impact

Attacker reads sensitive data including agent credentials and configuration (C:H), or modifies agent files and injects malicious code to establish persistence and pivot toward full host compromise (I:H).

AML.T0112.000

Initial Access

Attacker obtains low-privileged local access to a macOS host running an OpenClaw-based AI agent deployment, sufficient to interact with the agent or trigger its exec feature.

AML.T0012

Allowlist Bypass

Attacker crafts shell commands using combined POSIX inline flags (e.g., '-rf' instead of '-r -f') that are not recognized by OpenClaw's Swift exec allowlist checker, evading the intended command restrictions.

AML.T0107

Unauthorized Execution

When a user triggers the AI agent's exec feature (or the agent invokes it as part of a tool chain), OpenClaw executes the crafted command outside the allowlist boundary with the process's current privileges.

AML.T0053

Impact

Attacker reads sensitive data including agent credentials and configuration (C:H), or modifies agent files and injects malicious code to establish persistence and pivot toward full host compromise (I:H).

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.6 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 3% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Upgrade to OpenClaw 2026.5.6 or later — this is the only complete fix per the security advisory.
If patching is not immediately possible, restrict OpenClaw execution to trusted users only and revoke local access for untrusted accounts on affected macOS hosts.
Audit existing allowlist configurations for combined POSIX flag coverage — if your allowlist entries assume space-separated flags (-r -f), add equivalent combined forms (-rf) as a temporary defensive measure.
Enable process auditing via macOS Unified Logging or the Endpoint Security Framework to detect unexpected command executions originating from the OpenClaw process.
Review whether AI agents in your environment invoke OpenClaw's Swift exec feature with operator-defined allowlists and prioritize patching those deployments first.

How is it classified?

Auth Bypass Code Execution Agent AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.4 - AI system security controls

NIST AI RMF

MAP 2.3 - Scientific findings are identified and documented

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53861?

OpenClaw before 2026.5.6 contains an allowlist bypass in its macOS Swift exec feature that fails to recognize combined POSIX inline-command flags (e.g., '-rf' instead of '-r -f'), allowing shell commands outside the operator-configured allowlist to execute with the process's current privileges. For AI agent deployments where OpenClaw's command allowlist is the primary control boundary between the agent and the host OS, this represents a meaningful integrity risk — a low-privileged local user who can trigger user interaction can circumvent the intended command restrictions entirely, with high confidentiality and integrity impact (C:H/I:H). No public exploit exists and the vulnerability is not listed in CISA KEV, reducing immediate urgency, but agentic systems that depend on allowlist enforcement as their sandboxing model are directly exposed to this class of bypass. Operators should upgrade to OpenClaw 2026.5.6 or later immediately and audit existing allowlist configurations to verify that combined POSIX flag forms are accounted for in their access control policies.

Is CVE-2026-53861 actively exploited?

No confirmed active exploitation of CVE-2026-53861 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53861?

1. Upgrade to OpenClaw 2026.5.6 or later — this is the only complete fix per the security advisory. 2. If patching is not immediately possible, restrict OpenClaw execution to trusted users only and revoke local access for untrusted accounts on affected macOS hosts. 3. Audit existing allowlist configurations for combined POSIX flag coverage — if your allowlist entries assume space-separated flags (-r -f), add equivalent combined forms (-rf) as a temporary defensive measure. 4. Enable process auditing via macOS Unified Logging or the Endpoint Security Framework to detect unexpected command executions originating from the OpenClaw process. 5. Review whether AI agents in your environment invoke OpenClaw's Swift exec feature with operator-defined allowlists and prioritize patching those deployments first.

What systems are affected by CVE-2026-53861?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent deployments on macOS, local AI agent sandboxing, agentic code execution pipelines.

What is the CVSS score for CVE-2026-53861?

CVE-2026-53861 has a CVSS v3.1 base score of 6.6 (MEDIUM). The EPSS exploitation probability is 0.13%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent deployments on macOSlocal AI agent sandboxingagentic code execution pipelines

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.4

NIST AI RMF: MAP 2.3

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

Exploitation Scenario

An attacker with low-privileged local access on a macOS host running an OpenClaw-based AI agent constructs a request that triggers the agent's Swift exec feature using combined POSIX inline flags. For example, a command using '-rf' or '-la' combined forms bypasses the string-match or regex-based allowlist check that only accounts for space-separated flag variants. When a user interacts with the agent (or the agent itself invokes the exec path as part of a tool chain), OpenClaw executes the crafted command outside the intended sandbox. The attacker can then read sensitive files including agent configuration and credentials (C:H), or modify agent configuration files and inject malicious code into the AI agent's working directory to establish persistence (I:H), potentially pivoting to full host compromise through the agent's elevated tool access.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary CWE-184 Incomplete List of Disallowed Inputs

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.