OpenClaw: 14 Vulnerabilities Disclosed in Single Batch, Including Code Execution and Privilege Escalation
OpenClaw disclosed 14 security vulnerabilities in a single batch on June 11, 2026, including authorization bypass, privilege escalation, and code execution flaws affecting versions prior to 2026.5.27.
Key findings
- 14 CVEs disclosed simultaneously for OpenClaw on June 11, 2026
- Seven CVEs rated High severity (CVSS 7.2–8.8), one Critical-adjacent at 8.8
- Bugs span authorization bypass, privilege escalation, code execution, and SSRF
- All vulnerabilities fixed in OpenClaw 2026.5.27 and later
- No active exploitation reported at time of disclosure
On June 11, 2026, the OpenClaw project disclosed a batch of 14 security vulnerabilities spanning authorization bypass, privilege escalation, code execution, and policy evasion flaws. The disclosures, published simultaneously, affect versions prior to the 2026.5.27 release and represent the most significant coordinated security update in the project's history. Given OpenClaw's role as an AI agent orchestration platform, many of these bugs could allow attackers to escalate privileges, execute arbitrary code, or bypass critical security policies.
Authorization and Policy Bypass Cluster
Several CVEs target authorization enforcement gaps. CVE-2026-53818 (CVSS 6.6) allows non-owner callers to skip owner-only tool policies and before-tool-call hooks through the MCP loopback feature, enabling restricted tool invocation. CVE-2026-53815 (CVSS 6.5) bypasses channel allowlist checks in message read actions, potentially exposing sensitive channel messages to lower-trust callers. CVE-2026-53808 (CVSS 6.5) lets agent tool calls set apply: true despite a pending approval policy in the Skill Workshop apply flow. CVE-2026-53807 (CVSS 8.8) allows authenticated users to skip commands.allowFrom validation in Telegram interactive callbacks, enabling unauthorized command execution. CVE-2026-53809 (CVSS 3.8) exploits provider alias confusion in embedded runner policy to select bundled tool access outside intended restrictions.
Privilege Escalation and Code Execution
A second group of vulnerabilities enables attackers to gain elevated privileges or execute arbitrary code. CVE-2026-53819 (CVSS 8.8) allows arbitrary code execution in skill install flows where workspace .env files can override the Homebrew executable selection. CVE-2026-53814 (CVSS 8.3) escalates privileges by granting hook-triggered agent runs owner-scoped MCP loopback authority instead of the appropriate hook scope. CVE-2026-53811 (CVSS 8.8) exploits the Matrix allowFrom feature, where mutable display name metadata lets attackers match policy entries intended for another identity. CVE-2026-53810 (CVSS 8.8) manipulates marketplace runtime extension metadata to redirect loading toward unscanned package payloads, bypassing security scans.
Network and Trust Validation Flaws
Several bugs exploit insufficient validation of network or locality trust. CVE-2026-53817 (CVSS 8.8) spoofs locality information during Control UI pairing to obtain durable admin-capable device tokens. CVE-2026-53816 (CVSS 7.2) allows paired nodes to forge exec lifecycle events without system.run authorization via crafted node.event messages. CVE-2026-53812 (CVSS 7.7) is a server-side request forgery (SSRF) vulnerability in browser control that lets authenticated users bypass private-network navigation checks through Playwright act interactions.
Path Traversal and Shell Parsing
CVE-2026-53813 (CVSS 7.8) is a path traversal flaw in memory-core artifact loading where workspace state influences local package root resolution, potentially loading artifacts from unintended locations. CVE-2026-53806 (CVSS 8.8) exploits combined POSIX shell flags to bypass exec revalidation checks, enabling unauthorized command execution.
Response and Patching
OpenClaw has addressed all 14 vulnerabilities in versions 2026.5.27 and later. Users running versions prior to 2026.5.27 are urged to update immediately. The fixes span multiple components: the MCP loopback, Control UI pairing, Skill Workshop, Telegram callbacks, Matrix integration, marketplace extension loading, browser control, and shell execution handling. No in-the-wild exploitation has been reported at the time of disclosure.
Broader Context
This batch underscores the challenge of securing AI agent orchestration platforms, where trust boundaries between users, nodes, hooks, and external services multiply rapidly. The diversity of attack surfaces — from Homebrew executable selection to Matrix display name parsing — reflects the complexity of modern agent infrastructure. OpenClaw users should treat this update as a priority, as several of the high-severity bugs (CVSS 8.8) require only authenticated access or network proximity to exploit.