CVE-2026-53827
Description
OpenClaw before 2026.5.2 exposes Gateway credentials via message.action forwarding when model-controlled metadata selects attacker-supplied loopback URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClaw before 2026.5.2 exposes Gateway credentials via message.action forwarding when model-controlled metadata selects attacker-supplied loopback URLs.
Vulnerability
OpenClaw versions before 2026.5.2 contain a credential exposure vulnerability in the message.action forwarding feature. The bug allows model-controlled metadata to specify a loopback Gateway URL, causing the action payload and Gateway credentials to be forwarded to that attacker-supplied loopback URL. The feature must be enabled and reachable for the code path to be triggered [1][2].
Exploitation
A remote attacker with the ability to provide model-controlled action metadata (e.g., through a lower-trust input path) can supply a malicious loopback target URL. When the message.action forwarding processes this metadata, it sends the Gateway token and the full action payload to the attacker-controlled loopback endpoint. No additional authentication or user interaction beyond the reachable path is required [1]. The CVSS v4 vector indicates low privileges are needed and network-based attack is possible [2].
Impact
Successful exploitation exposes the Gateway credentials (tokens) and action payload contents to an attacker who can intercept the forwarded data via a local listener at the loopback address. This can lead to unauthorized access to Gateway resources, potential command execution using the stolen token, and disclosure of sensitive action payloads. The privilege level compromised is at the Gateway operator level for the affected feature [1].
Mitigation
The first stable patched version is 2026.5.2 [1]. Until patched, operators should restrict message.action forwarding, avoid using model-supplied loopback targets, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when not needed [1]. The vulnerability is not listed on KEV as of the publication date.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
18b2a6e57fef6docs: refresh plugin inventory for bundled channels
4 files changed · +6 −6
docs/plugins/plugin-inventory.md+2 −2 modified@@ -69,6 +69,8 @@ dependencies are available. | [litellm](/plugins/reference/litellm) | Adds LiteLLM model provider support to OpenClaw. | `@openclaw/litellm-provider`<br />included in OpenClaw | providers: litellm; contracts: imageGenerationProviders | | [llm-task](/plugins/reference/llm-task) | Generic JSON-only LLM tool for structured tasks callable from workflows. | `@openclaw/llm-task`<br />included in OpenClaw | contracts: tools | | [lmstudio](/plugins/reference/lmstudio) | Adds LM Studio model provider support to OpenClaw. | `@openclaw/lmstudio-provider`<br />included in OpenClaw | providers: lmstudio; contracts: memoryEmbeddingProviders | +| [matrix](/plugins/reference/matrix) | Adds the Matrix channel surface for sending and receiving OpenClaw messages. | `@openclaw/matrix`<br />included in OpenClaw | channels: matrix | +| [mattermost](/plugins/reference/mattermost) | Adds the Mattermost channel surface for sending and receiving OpenClaw messages. | `@openclaw/mattermost`<br />included in OpenClaw | channels: mattermost | | [memory-core](/plugins/reference/memory-core) | Adds memory embedding provider support. Adds agent-callable tools. | `@openclaw/memory-core`<br />included in OpenClaw | contracts: memoryEmbeddingProviders, tools | | [memory-wiki](/plugins/reference/memory-wiki) | Persistent wiki compiler and Obsidian-friendly knowledge vault for OpenClaw. | `@openclaw/memory-wiki`<br />included in OpenClaw | contracts: tools; skills | | [microsoft](/plugins/reference/microsoft) | Adds text-to-speech provider support. | `@openclaw/microsoft-speech`<br />included in OpenClaw | contracts: speechProviders | @@ -133,8 +135,6 @@ dependencies are available. | [googlechat](/plugins/reference/googlechat) | Adds the Google Chat channel surface for sending and receiving OpenClaw messages. | `@openclaw/googlechat`<br />ClawHub + npm | channels: googlechat | | [line](/plugins/reference/line) | Adds the LINE channel surface for sending and receiving OpenClaw messages. | `@openclaw/line`<br />ClawHub + npm | channels: line | | [lobster](/plugins/reference/lobster) | Typed workflow tool with resumable approvals. | `@openclaw/lobster`<br />ClawHub + npm | contracts: tools | -| [matrix](/plugins/reference/matrix) | Adds the Matrix channel surface for sending and receiving OpenClaw messages. | `@openclaw/matrix`<br />ClawHub + npm | channels: matrix | -| [mattermost](/plugins/reference/mattermost) | Adds the Mattermost channel surface for sending and receiving OpenClaw messages. | `@openclaw/mattermost`<br />ClawHub + npm | channels: mattermost | | [memory-lancedb](/plugins/reference/memory-lancedb) | Adds agent-callable tools. | `@openclaw/memory-lancedb`<br />ClawHub + npm | contracts: tools | | [msteams](/plugins/reference/msteams) | Adds the Microsoft Teams channel surface for sending and receiving OpenClaw messages. | `@openclaw/msteams`<br />ClawHub + npm | channels: msteams | | [nextcloud-talk](/plugins/reference/nextcloud-talk) | Adds the Nextcloud Talk channel surface for sending and receiving OpenClaw messages. | `@openclaw/nextcloud-talk`<br />ClawHub + npm | channels: nextcloud-talk |
docs/plugins/reference/matrix.md+1 −1 modified@@ -12,7 +12,7 @@ Adds the Matrix channel surface for sending and receiving OpenClaw messages. ## Distribution - Package: `@openclaw/matrix` -- Install route: ClawHub + npm +- Install route: included in OpenClaw ## Surface
docs/plugins/reference/mattermost.md+1 −1 modified@@ -12,7 +12,7 @@ Adds the Mattermost channel surface for sending and receiving OpenClaw messages. ## Distribution - Package: `@openclaw/mattermost` -- Install route: ClawHub + npm +- Install route: included in OpenClaw ## Surface
docs/plugins/reference.md+2 −2 modified@@ -69,8 +69,8 @@ pnpm plugins:inventory:gen | [llm-task](/plugins/reference/llm-task) | Generic JSON-only LLM tool for structured tasks callable from workflows. | `@openclaw/llm-task`<br />included in OpenClaw | contracts: tools | | [lmstudio](/plugins/reference/lmstudio) | Adds LM Studio model provider support to OpenClaw. | `@openclaw/lmstudio-provider`<br />included in OpenClaw | providers: lmstudio; contracts: memoryEmbeddingProviders | | [lobster](/plugins/reference/lobster) | Typed workflow tool with resumable approvals. | `@openclaw/lobster`<br />ClawHub + npm | contracts: tools | -| [matrix](/plugins/reference/matrix) | Adds the Matrix channel surface for sending and receiving OpenClaw messages. | `@openclaw/matrix`<br />ClawHub + npm | channels: matrix | -| [mattermost](/plugins/reference/mattermost) | Adds the Mattermost channel surface for sending and receiving OpenClaw messages. | `@openclaw/mattermost`<br />ClawHub + npm | channels: mattermost | +| [matrix](/plugins/reference/matrix) | Adds the Matrix channel surface for sending and receiving OpenClaw messages. | `@openclaw/matrix`<br />included in OpenClaw | channels: matrix | +| [mattermost](/plugins/reference/mattermost) | Adds the Mattermost channel surface for sending and receiving OpenClaw messages. | `@openclaw/mattermost`<br />included in OpenClaw | channels: mattermost | | [memory-core](/plugins/reference/memory-core) | Adds memory embedding provider support. Adds agent-callable tools. | `@openclaw/memory-core`<br />included in OpenClaw | contracts: memoryEmbeddingProviders, tools | | [memory-lancedb](/plugins/reference/memory-lancedb) | Adds agent-callable tools. | `@openclaw/memory-lancedb`<br />ClawHub + npm | contracts: tools | | [memory-wiki](/plugins/reference/memory-wiki) | Persistent wiki compiler and Obsidian-friendly knowledge vault for OpenClaw. | `@openclaw/memory-wiki`<br />included in OpenClaw | contracts: tools; skills |
Vulnerability mechanics
Root cause
"Missing validation of model-controlled metadata in message.action forwarding allows attacker-supplied loopback URLs to capture Gateway credentials."
Attack vector
An attacker with low-privileged access to OpenClaw (before 2026.5.2) supplies a malicious loopback URL through model-controlled action metadata. The `message.action` forwarding mechanism then forwards action payloads containing Gateway credentials to that attacker-supplied URL, allowing the attacker to intercept Gateway tokens and action payloads. This is a credential exposure vulnerability akin to a server-side request forgery or information disclosure weakness.
Affected code
The commit only updates documentation (plugin-inventory.md, reference.md, and the Matrix/Mattermost plugin reference pages) to change the install route from "ClawHub + npm" to "included in OpenClaw" for the Matrix and Mattermost channel plugins. This documentation change does not contain any fix for the credential exposure vulnerability described in the advisory. The bundle does not include the actual source-code patch that addresses the credential exposure in `message.action` forwarding.
What the fix does
The patch provided [patch_id=5752431] only alters documentation to mark the Matrix and Mattermost channel plugins as "included in OpenClaw" rather than available via ClawHub + npm. This does not modify any application logic, so it cannot close the credential exposure vulnerability. No actual fix for the `message.action` forwarding bug is present in the bundle.
Preconditions
- authAttacker must be authenticated as a low-privilege user (PR:L per CVSS).
- inputAttacker must be able to influence model-controlled metadata in an action message.
- networkNetwork access to the OpenClaw instance is required (AV:N per CVSS).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.