VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 11, 2026

CVE-2026-53808

CVE-2026-53808

Description

OpenClaw before 2026.5.6 contains an approval policy bypass in Skill Workshop apply flow allowing agent tool calls to set apply:true despite pending approval, potentially modifying configs without authorization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.5.6 contains an approval policy bypass in Skill Workshop apply flow allowing agent tool calls to set apply:true despite pending approval, potentially modifying configs without authorization.

Vulnerability

OpenClaw versions prior to 2026.5.6 contain an approval policy bypass vulnerability in the Skill Workshop apply flow. The bug allows agent tool calls to set apply: true even when the approvalPolicy configuration is set to pending. This occurs in the apply path of the Skill Workshop feature, which can be reached via agent tool calls. The affected versions are all prior to 2026.5.6.

Exploitation

An attacker with the ability to make agent tool calls that reach the Skill Workshop apply path can exploit this vulnerability. The attacker does not need to have the required approval to apply changes but must have access to trigger that code path. This could be achieved by an authenticated Gateway operator or via a lower-trust input that reaches the path, depending on the deployment configuration.

Impact

Successful exploitation allows an attacker to apply a workshop change before the expected approval step, potentially modifying configurations without proper authorization. The practical impact depends on the operator's configuration and whether lower-trust input can reach that path. This could lead to unauthorized configuration changes with high integrity impact (CVSS v4 High integrity) but no confidentiality or availability impact.

Mitigation

The first stable patched version is 2026.5.6. Workarounds include manually reviewing Skill Workshop changes, keeping tool restrictions tight, narrowing channel and tool allowlists, and disabling the affected feature when not needed. The advisory also recommends avoiding sharing one Gateway between mutually untrusted users until patched [1][2].

References
  1. Skill Workshop apply flow could override pending approval
  2. OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenClaw/Openclawinferred2 versions
    < 2026.5.6+ 1 more
    • (no CPE)range: < 2026.5.6
    • (no CPE)range: <2026.5.6

Patches

1
c97b9f79ec43

test(plugin-sdk): satisfy fetch header lint

https://github.com/OpenClaw/OpenClawPeter SteinbergerMay 6, 2026Fixed in 2026.5.6via release-tag
commit
1 file changed · +1 1
  • src/plugin-sdk/fetch-auth.test.ts+1 1 modified
    @@ -125,7 +125,7 @@ describe("fetchWithBearerAuthScopeFallback", () => {
       enumerable: false,
     });
     const fetchFn = vi.fn(async (_url: string, init?: RequestInit) => {
-      new Headers(init?.headers);
+      expect(() => new Headers(init?.headers)).not.toThrow();
       return fetchFn.mock.calls.length === 1
         ? new Response("unauthorized", { status: 401 })
         : new Response("ok", { status: 200 });

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

2

News mentions

0

No linked articles in our index yet.