CVE-2026-53862: OpenClaw bootstrap token replay

CISO Take

OpenClaw before 2026.5.12 contains a flaw in its agent pairing mechanism where bootstrap tokens held in pending state can be replayed by an unauthenticated network attacker — with required user interaction — to claim broader pairing authority than originally requested. While the CVSS 4.2 score and high attack complexity limit immediate urgency, in AI agent environments pairing scope directly governs what tools, APIs, and data sources an agent can access, making scope escalation a meaningful privilege gain beyond a simple credential theft. There are no public exploits, CISA KEV entries, or automated scanner templates available, which reduces near-term risk. Organizations running OpenClaw should upgrade to 2026.5.12 immediately and audit existing agent pairings for anomalous scope grants.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium risk. CVSS 4.2 with high attack complexity and required user interaction significantly narrows the exploitable attack window — the attacker must race the token replay against the pending approval cycle. However, CWE-266 (Incorrect Privilege Assignment) combined with CWE-345 (Insufficient Verification of Data Authenticity) indicates a systemic gap in token lifecycle validation: the system never verifies that a replayed token's requested scope matches the original pending request. In AI agent deployments where pairing authority is the trust boundary for automated operations, even partial scope escalation can compound across downstream tools and orchestration chains.

How does the attack unfold?

Initial Access

Attacker initiates a pairing request to the OpenClaw instance, receiving a bootstrap token in pending state with a limited requested scope.

AML.T0049

Token Replay

Before the pending token is approved by an authorized administrator, the attacker replays it with an inflated scope claim, exploiting the absence of replay protection and scope immutability.

AML.T0091.000

Privilege Escalation

OpenClaw accepts the replayed token with the broader scope, granting the attacker a valid pairing with elevated authority beyond what was originally requested or intended.

AML.T0106

Unauthorized Agent Control

The attacker exercises the escalated pairing authority to invoke AI agent tools, access connected data sources, or orchestrate workflows beyond the authorized permission boundary.

AML.T0053

Initial Access

Attacker initiates a pairing request to the OpenClaw instance, receiving a bootstrap token in pending state with a limited requested scope.

AML.T0049

Token Replay

Before the pending token is approved by an authorized administrator, the attacker replays it with an inflated scope claim, exploiting the absence of replay protection and scope immutability.

AML.T0091.000

Privilege Escalation

OpenClaw accepts the replayed token with the broader scope, granting the attacker a valid pairing with elevated authority beyond what was originally requested or intended.

AML.T0106

Unauthorized Agent Control

The attacker exercises the escalated pairing authority to invoke AI agent tools, access connected data sources, or orchestrate workflows beyond the authorized permission boundary.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

4.2 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI Required

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Upgrade OpenClaw to 2026.5.12 or later — this is the direct remediation per the security advisory.
If immediate patching is not feasible, restrict network access to the OpenClaw pairing endpoint to trusted networks or IP ranges, and enforce short TTLs on pending bootstrap tokens to minimize the replay window.
Audit all existing agent pairings: look for any scope grants that were not explicitly requested in the original pairing workflow.
Enable verbose logging of token lifecycle events (issuance, replay attempts, scope changes) to detect exploitation attempts retroactively.
Review operational runbooks to ensure pending tokens are approved or revoked promptly — do not leave bootstrap tokens in pending state for extended periods.

How is it classified?

Auth Bypass Data Extraction Agent AML.T0053 - AI Agent Tool Invocation AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.2 - Segregation of Duties

NIST AI RMF

MANAGE 2.4 - Mechanisms to Manage AI Risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53862?

OpenClaw before 2026.5.12 contains a flaw in its agent pairing mechanism where bootstrap tokens held in pending state can be replayed by an unauthenticated network attacker — with required user interaction — to claim broader pairing authority than originally requested. While the CVSS 4.2 score and high attack complexity limit immediate urgency, in AI agent environments pairing scope directly governs what tools, APIs, and data sources an agent can access, making scope escalation a meaningful privilege gain beyond a simple credential theft. There are no public exploits, CISA KEV entries, or automated scanner templates available, which reduces near-term risk. Organizations running OpenClaw should upgrade to 2026.5.12 immediately and audit existing agent pairings for anomalous scope grants.

Is CVE-2026-53862 actively exploited?

No confirmed active exploitation of CVE-2026-53862 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53862?

1. Upgrade OpenClaw to 2026.5.12 or later — this is the direct remediation per the security advisory. 2. If immediate patching is not feasible, restrict network access to the OpenClaw pairing endpoint to trusted networks or IP ranges, and enforce short TTLs on pending bootstrap tokens to minimize the replay window. 3. Audit all existing agent pairings: look for any scope grants that were not explicitly requested in the original pairing workflow. 4. Enable verbose logging of token lifecycle events (issuance, replay attempts, scope changes) to detect exploitation attempts retroactively. 5. Review operational runbooks to ensure pending tokens are approved or revoked promptly — do not leave bootstrap tokens in pending state for extended periods.

What systems are affected by CVE-2026-53862?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, AI agent pairing systems, automated AI pipeline orchestration.

What is the CVSS score for CVE-2026-53862?

CVE-2026-53862 has a CVSS v3.1 base score of 4.2 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationAI agent pairing systemsautomated AI pipeline orchestration

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0091.000 Application Access Token

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

Exploitation Scenario

An attacker with network access to an OpenClaw deployment initiates a legitimate-looking pairing request, receiving a bootstrap token with limited scope in pending state awaiting administrator approval. Before the administrator approves the token — which would finalize and lock its scope — the attacker replays the same token in a new pairing request inflating the requested scope: for example, adding admin-level pairing authority or access to sensitive agent tools not in the original request. Because OpenClaw fails to validate that the replayed token's scope matches the original pending scope, it accepts the broader claim. The attacker now holds a valid pairing with elevated authority, enabling them to invoke agent tools, orchestrate AI workflows, or access data sources the approving administrator never authorized.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary CWE-345 Insufficient Verification of Data Authenticity Primary

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.