VYPR
Vypr IntelligenceAI-generatedJun 16, 2026· 25 CVEs

OpenClaw: 25 CVEs Disclosed in a Single Day — Allowlist Bypasses and Privilege Escalation Dominate

OpenClaw disclosed 25 CVEs on June 16, 2026, spanning allowlist bypasses, privilege escalation, and identity validation flaws — with the highest-severity bug (CVSS 8.8) allowing revoked device sessions to regain node access.

Key findings

  • 25 CVEs disclosed in a single day across OpenClaw versions before 2026.5.x
  • Highest severity is CVE-2026-53843 (CVSS 8.8): device session re-establishes authority after revocation
  • Multiple allowlist bypasses allow authenticated operators to execute unapproved commands
  • Discord and Zalo identity validation flaws (CVE-2026-53849, CVE-2026-53857) exploit mutable display names
  • Environment variable injection via .env files affects Node.js, Python, and runtime dependency paths
  • Patches span versions 2026.4.2 through 2026.5.26; no in-the-wild exploitation reported

25 CVEs Hit OpenClaw in a Single-Day Disclosure — Allowlist Bypasses, Privilege Escalation, and More

On June 16, 2026, OpenClaw disclosed a batch of 25 security vulnerabilities affecting versions before the 2026.5.x release line. The CVEs span a wide range of bug classes — allowlist bypasses, path traversal, environment variable injection, privilege escalation, and authorization gaps — with severities from Medium (CVSSv3 4.2) to High (CVSSv3 8.8). Several of the most severe flaws allow authenticated operators to execute unapproved commands or escalate privileges, making this a significant patch event for any organization running OpenClaw.

Allowlist and Exec Bypass Cluster

The largest thematic group concerns shell inline-command parsing and exec allowlist bypasses. CVE-2026-53866 (CVSS 8.1) allows authenticated operators to execute unapproved commands when a parser case misses the expected allowlist decision. CVE-2026-53855 (CVSS 8.1) lets attackers weaken strict allowlist checks via shell positional parameters, while CVE-2026-53853 (CVSS 8.3, the highest-scoring CVE in the batch) enables direct invocation of allowlisted executables with unrestricted arguments, bypassing configured argPattern restrictions on Linux and macOS. CVE-2026-53861 (CVSS 6.6) targets the macOS Swift exec feature with combined POSIX inline-command flags, and CVE-2026-53848 (CVSS 4.3) allows wrapper-level side effects outside allowlisted command intent.

Identity and Policy Enforcement Flaws

Several CVEs involve identity validation weaknesses in messaging integrations. CVE-2026-53849 (CVSS 8.1) and CVE-2026-53857 (CVSS 8.1) both exploit mutable display names — the former against Discord accounts, the latter against Zalo contacts — to match allowFrom policy entries and gain unauthorized agent access. CVE-2026-53860 (CVSS 4.2) allows BlueBubbles participants to match allowlist entries through conversation metadata rather than stable sender identity. CVE-2026-53859 (CVSS 6.5) bypasses hostname blocklists using trailing-dot notation in model or workspace-derived URLs.

Environment Variable and Path Traversal

CVE-2026-53864 (CVSS 8.1) allows Node.js control variables to bypass the host environment sanitizer via workspace .env files or skill environment blocks. CVE-2026-53858 (CVSS 7.1) and CVE-2026-53842 (CVSS 7.1) are environment variable injection flaws — the former lets STATE_DIRECTORY influence bundled runtime dependency roots, the latter manipulates CLOUDSDK_PYTHON during Gmail setup gcloud execution. CVE-2026-53865 (CVSS 7.1) and CVE-2026-53846 (CVSS 7.1) are path traversal vulnerabilities in maintenance task execution and the install helper, respectively, allowing execution of unintended local executables.

Privilege Escalation and Authorization Bypasses

CVE-2026-53843 (CVSS 8.8) is the batch's highest-severity CVE: a surviving pairing-scoped device session can re-establish WebSocket node token authority after revocation, weakening revocation controls. CVE-2026-53854 (CVSS 6.5) allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. CVE-2026-53847 (CVSS 5.4) lets Gateway operators with operator.write access modify global configuration without requiring operator.admin privileges. CVE-2026-53852 (CVSS 5.4) bypasses scope containment during device re-pairing, and CVE-2026-53850 (CVSS 5.5) skips authorization checks in the focus command.

Additional Medium-Severity Issues

CVE-2026-53862 (CVSS 4.2) is a bootstrap token replay vulnerability allowing broader scopes than intended. CVE-2026-53863 (CVSS 7.1) accepts unvalidated group IDs in tool group policy callers. CVE-2026-53856 (CVSS 5.5) restores OpenClaw.json with overly broad permissions during config recovery. CVE-2026-53851 (CVSS 5.3) lets Slack reaction events enter the agent pipeline despite disabled reaction notifications. CVE-2026-53845 (CVSS 4.3) bypasses before-tool-call hook coverage for skill commands on a vulnerable dispatch path. CVE-2026-53844 (CVSS 6.5) skips session visibility guards in shared memory search.

Patch Status and Mitigation

All 25 CVEs affect OpenClaw versions before the 2026.5.x release line, with specific fixes landing across versions 2026.4.2 through 2026.5.26. The most recent patched version referenced is 2026.5.26. Organizations should upgrade to the latest available OpenClaw release to address all disclosed vulnerabilities. No in-the-wild exploitation has been reported at the time of disclosure.

Bottom Line

This single-day disclosure of 25 CVEs reveals a broad attack surface in OpenClaw's allowlist enforcement, identity validation, and environment handling. The concentration of high-severity bypasses — particularly the exec allowlist flaws and the Discord/Zalo identity mismatches — makes this batch a priority for any team running OpenClaw in production. Administrators should audit their current version and apply the latest patches without delay.

AI-written article. Grounded in 25 CVE records listed below.