CVE-2026-53866: OpenClaw allowlist bypass

CISO Take

OpenClaw before 2026.5.12 contains a missing authorization flaw (CWE-862) in its shell inline-command parser: authenticated operators can craft requests using specific inline-command forms that route through a parser code path lacking the expected allowlist decision, executing unapproved shell commands without the required approval prompt. With a CVSS of 8.1 (High), network-accessible, low-complexity exploitation requiring only low-privilege credentials and zero user interaction, this is particularly dangerous in any multi-operator or SaaS-hosted OpenClaw deployment — a malicious or compromised operator can escape the intended command sandbox entirely and reach the underlying host. There is no public exploit or active KEV listing yet, but the trivial attack complexity means the window before weaponized exploitation narrows quickly post-disclosure. Patch to OpenClaw 2026.5.12 or later immediately; if patching is delayed, revoke shell tool access for all but the most trusted operators and enable full command audit logging.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High risk. CVSS 8.1 with network vector, low complexity, and low privilege requirement eliminates most defensive barriers. The allowlist bypass directly undermines the core security control designed to contain agent-executed shell commands — the sandbox assumption that operators can only run approved commands is broken by design flaw, not brute force. In AI agent deployments where OpenClaw orchestrates actions on behalf of users or automates workflows, this flaw enables lateral movement, data exfiltration, and infrastructure compromise. No EPSS data is available yet given the recent publication date, but the trivial exploitation path warrants treating this as high-urgency regardless.

How does the attack unfold?

Initial Access

Attacker authenticates to OpenClaw using valid low-privilege operator credentials, gaining legitimate but intended-to-be-restricted access to the agent framework's command interface.

AML.T0012

Allowlist Bypass

Attacker crafts a shell command request using an inline-command form (e.g., command substitution syntax) that routes through a parser branch missing the allowlist decision, bypassing the approval enforcement entirely.

AML.T0049

Unauthorized Shell Execution

The unapproved shell command executes on the underlying host system without triggering any approval prompt, granting the attacker arbitrary OS-level command execution under the agent process's identity.

AML.T0050

Impact

Attacker exfiltrates environment secrets, API keys, or sensitive data accessible to the OpenClaw process, or persists a backdoor by modifying agent configuration files for ongoing access.

AML.T0086

Initial Access

Attacker authenticates to OpenClaw using valid low-privilege operator credentials, gaining legitimate but intended-to-be-restricted access to the agent framework's command interface.

AML.T0012

Allowlist Bypass

Attacker crafts a shell command request using an inline-command form (e.g., command substitution syntax) that routes through a parser branch missing the allowlist decision, bypassing the approval enforcement entirely.

AML.T0049

Unauthorized Shell Execution

The unapproved shell command executes on the underlying host system without triggering any approval prompt, granting the attacker arbitrary OS-level command execution under the agent process's identity.

AML.T0050

Impact

Attacker exfiltrates environment secrets, API keys, or sensitive data accessible to the OpenClaw process, or persists a backdoor by modifying agent configuration files for ongoing access.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Patch immediately: upgrade OpenClaw to 2026.5.12 or later — this is the only complete fix.
Audit operator access: identify all users with operator-level credentials and revoke unnecessary access pending patching.
Workaround: disable shell command tools in OpenClaw configuration entirely if shell automation is not required by your use case.
Detection: review shell command execution logs for inline-command syntax patterns (backtick expansion, $() substitution) that may indicate exploitation attempts; alert on commands lacking corresponding approval events.
Network segmentation: ensure OpenClaw instances are not directly internet-facing — place behind authenticated proxies or VPNs to raise the attacker's access bar.
Least privilege: confirm the OS user running OpenClaw has the minimum permissions needed; avoid running as root.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion AML.T0108 - AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - Access control to AI systems

NIST AI RMF

GOVERN 1.2 - Policies, processes, and procedures are in place to address AI risks

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53866?

OpenClaw before 2026.5.12 contains a missing authorization flaw (CWE-862) in its shell inline-command parser: authenticated operators can craft requests using specific inline-command forms that route through a parser code path lacking the expected allowlist decision, executing unapproved shell commands without the required approval prompt. With a CVSS of 8.1 (High), network-accessible, low-complexity exploitation requiring only low-privilege credentials and zero user interaction, this is particularly dangerous in any multi-operator or SaaS-hosted OpenClaw deployment — a malicious or compromised operator can escape the intended command sandbox entirely and reach the underlying host. There is no public exploit or active KEV listing yet, but the trivial attack complexity means the window before weaponized exploitation narrows quickly post-disclosure. Patch to OpenClaw 2026.5.12 or later immediately; if patching is delayed, revoke shell tool access for all but the most trusted operators and enable full command audit logging.

Is CVE-2026-53866 actively exploited?

No confirmed active exploitation of CVE-2026-53866 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53866?

1. Patch immediately: upgrade OpenClaw to 2026.5.12 or later — this is the only complete fix. 2. Audit operator access: identify all users with operator-level credentials and revoke unnecessary access pending patching. 3. Workaround: disable shell command tools in OpenClaw configuration entirely if shell automation is not required by your use case. 4. Detection: review shell command execution logs for inline-command syntax patterns (backtick expansion, $() substitution) that may indicate exploitation attempts; alert on commands lacking corresponding approval events. 5. Network segmentation: ensure OpenClaw instances are not directly internet-facing — place behind authenticated proxies or VPNs to raise the attacker's access bar. 6. Least privilege: confirm the OS user running OpenClaw has the minimum permissions needed; avoid running as root.

What systems are affected by CVE-2026-53866?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, AI automation platforms, multi-operator AI deployments.

What is the CVSS score for CVE-2026-53866?

CVE-2026-53866 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelinesAI automation platformsmulti-operator AI deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

Exploitation Scenario

An attacker with low-privilege operator credentials on an OpenClaw instance submits a shell command request using an inline-command substitution form — for example wrapping a command in backticks or $() syntax — that the parser routes through a code branch missing the allowlist decision logic. The command executes on the underlying system without triggering the expected approval prompt. In a realistic AI agent context the attacker reads environment variables to extract API keys and cloud credentials accessible to the agent process, then exfiltrates those via an outbound shell command, or modifies the agent's configuration files to persist a backdoor that survives restarts — all while the audit log shows a seemingly normal operator session.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.