CVE-2026-53863: OpenClaw access control bypass

CISO Take

OpenClaw's tool group policy resolver accepts caller-supplied group IDs without validating actual group membership, allowing any low-privileged network user to substitute a high-privilege group ID and receive an incorrect policy approval for tool invocations they should never be authorized to make. For AI agent deployments, tool-level access controls are the primary guardrail separating roles from sensitive capabilities such as file writes, external API calls, and data store operations—a bypass here translates directly to the CVSS Integrity High impact rating. No public exploit code or Nuclei template exists yet and the CVE is absent from CISA KEV, but the combination of network reachability, low attack complexity, and low privilege bar makes opportunistic exploitation realistic for any attacker with API-level access to an exposed OpenClaw instance. Patch to OpenClaw 2026.4.25 or later immediately; as a temporary workaround, enforce group ID validation at the API gateway and restrict the policy resolver endpoint to trusted internal networks only.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High severity (CVSS 7.1) with a network-accessible attack surface, low complexity, and low privilege requirement—no user interaction needed. The vulnerability class (CWE-639: Authorization Through User-Controlled Key) is well-understood and straightforward to weaponize once an attacker identifies the group ID parameter. No KEV listing and absent EPSS data reduce near-term probability, but the attack requires only knowledge of a valid high-privilege group ID, which is often enumerable or derivable from documentation. In multi-tenant or enterprise agentic platforms where OpenClaw enforces role separation across tool sets, successful exploitation could grant lateral movement across policy tiers.

How does the attack unfold?

Initial Access

Attacker authenticates to OpenClaw with a low-privileged account obtained through legitimate registration, credential theft, or a shared access token.

AML.T0012

Group ID Enumeration

Attacker discovers valid high-privilege group IDs by querying API responses, reading public documentation, or enumerating error messages from the policy resolver.

AML.T0084

Policy Bypass via Forged Group ID

Attacker submits a tool invocation request substituting their actual group ID with a high-privilege group ID; the unvalidated resolver grants approval as if the attacker were a legitimate group member.

AML.T0107

Unauthorized Tool Invocation and Impact

Attacker invokes restricted tools (database writes, external API calls, file system access) outside their authorized scope, achieving high-integrity impact or data exfiltration through the improperly authorized tool calls.

AML.T0053

Initial Access

Attacker authenticates to OpenClaw with a low-privileged account obtained through legitimate registration, credential theft, or a shared access token.

AML.T0012

Group ID Enumeration

Attacker discovers valid high-privilege group IDs by querying API responses, reading public documentation, or enumerating error messages from the policy resolver.

AML.T0084

Policy Bypass via Forged Group ID

Attacker submits a tool invocation request substituting their actual group ID with a high-privilege group ID; the unvalidated resolver grants approval as if the attacker were a legitimate group member.

AML.T0107

Unauthorized Tool Invocation and Impact

Attacker invokes restricted tools (database writes, external API calls, file system access) outside their authorized scope, achieving high-integrity impact or data exfiltration through the improperly authorized tool calls.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I High

A None

What should I do?

5 steps

Patch immediately: upgrade OpenClaw to version 2026.4.25 or later, which validates group IDs server-side before passing them to the policy resolver.
Immediate workaround if patching is blocked: enforce group ID validation at the API gateway or application boundary layer; reject any group ID not present in a server-side allowlist before the request reaches the policy resolver.
Network controls: restrict the OpenClaw policy resolver endpoint to trusted internal networks only and block public internet exposure.
Detection: audit tool invocation logs for group IDs that don't match the invoking user's enrolled groups; alert on group ID values appearing in requests that are absent from the configured group registry.
Least-privilege audit: review current tool group policy configurations and confirm that high-impact tools (write operations, external API integrations, data exfiltration-capable tools) are scoped to the minimal required groups.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - Access control for AI system resources

NIST AI RMF

MANAGE 2.4 - Residual risks from AI systems are managed

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53863?

OpenClaw's tool group policy resolver accepts caller-supplied group IDs without validating actual group membership, allowing any low-privileged network user to substitute a high-privilege group ID and receive an incorrect policy approval for tool invocations they should never be authorized to make. For AI agent deployments, tool-level access controls are the primary guardrail separating roles from sensitive capabilities such as file writes, external API calls, and data store operations—a bypass here translates directly to the CVSS Integrity High impact rating. No public exploit code or Nuclei template exists yet and the CVE is absent from CISA KEV, but the combination of network reachability, low attack complexity, and low privilege bar makes opportunistic exploitation realistic for any attacker with API-level access to an exposed OpenClaw instance. Patch to OpenClaw 2026.4.25 or later immediately; as a temporary workaround, enforce group ID validation at the API gateway and restrict the policy resolver endpoint to trusted internal networks only.

Is CVE-2026-53863 actively exploited?

No confirmed active exploitation of CVE-2026-53863 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53863?

1. Patch immediately: upgrade OpenClaw to version 2026.4.25 or later, which validates group IDs server-side before passing them to the policy resolver. 2. Immediate workaround if patching is blocked: enforce group ID validation at the API gateway or application boundary layer; reject any group ID not present in a server-side allowlist before the request reaches the policy resolver. 3. Network controls: restrict the OpenClaw policy resolver endpoint to trusted internal networks only and block public internet exposure. 4. Detection: audit tool invocation logs for group IDs that don't match the invoking user's enrolled groups; alert on group ID values appearing in requests that are absent from the configured group registry. 5. Least-privilege audit: review current tool group policy configurations and confirm that high-impact tools (write operations, external API integrations, data exfiltration-capable tools) are scoped to the minimal required groups.

What systems are affected by CVE-2026-53863?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, AI orchestration platforms, Multi-tenant agentic pipelines, Tool-augmented LLM deployments, Enterprise AI automation workflows.

What is the CVSS score for CVE-2026-53863?

CVE-2026-53863 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

Agent frameworksAI orchestration platformsMulti-tenant agentic pipelinesTool-augmented LLM deploymentsEnterprise AI automation workflows

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.

Exploitation Scenario

An attacker with a low-privileged OpenClaw account assigned to group 'viewers' crafts an API request to the tool invocation endpoint, substituting their legitimate group ID with the ID of the 'admins' group—obtained by enumerating group names from documentation, API responses, or error messages. Because the policy resolver does not validate whether the caller actually belongs to the supplied group, it evaluates tool access permissions as if the attacker were an admin. The resolver returns an approval decision for a restricted tool—such as a database write tool or an external API integration—that the attacker's actual role should never access. The attacker invokes that tool to exfiltrate records, modify agent state, or trigger operations in connected downstream systems. All activity appears in logs as a group-authorized action, complicating detection.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.