VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Jun 12, 2026

CVE-2026-53838

CVE-2026-53838

Description

OpenClaw before 2026.5.27 has a state mutation in node pairing reconnection that can bypass approval restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.5.27 has a state mutation in node pairing reconnection that can bypass approval restrictions.

Vulnerability

OpenClaw before version 2026.5.27 contains a state mutation vulnerability in the node pairing reconnection logic [1][2]. When a paired or reconnecting node session is processed, the pairing state can be mutated in a way that changes the approval scope decision, potentially allowing a node to gain unintended authority. The issue is present in all versions prior to the fix, and it affects the feature responsible for handling reconnections of paired nodes.

Exploitation

An attacker must have the ability to initiate or participate in a node pairing reconnection. This requires network access to an OpenClaw instance that has the affected feature enabled and reachable. The attacker also needs valid credentials for a paired node or the ability to exploit the reconnection process. The exact sequence involves triggering a reconnection while manipulating the session state to confuse the approval scope decision. User interaction is not required beyond the initial pairing [1].

Impact

Successful exploitation can restore or present broader node authority than originally intended by the operator. This could allow the attacker to bypass approval restrictions, potentially gaining elevated privileges or performing actions that would normally require additional authorization. The practical impact depends on the operator's configuration and whether lower-trust input can reach the vulnerable path [1][2].

Mitigation

The first stable patched version is 2026.5.27 [1]. As a workaround until patching, operators should revoke any unexpected node pairings and re-pair only trusted nodes. General hardening measures include keeping channel and tool allowlists narrow, avoiding sharing a Gateway between mutually untrusted users, and disabling the affected feature when not needed [1].

References
  1. Node pairing reconnection could confuse approval scope state
  2. OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenClaw/Openclawinferred2 versions
    <2026.5.27+ 1 more
    • (no CPE)range: <2026.5.27
    • (no CPE)range: <2026.5.27

Patches

1
27ae826f6525

fix(release): accept openclaw qa runtime alias

https://github.com/OpenClaw/OpenClawPeter SteinbergerMay 28, 2026Fixed in 2026.5.27via release-tag
commit
2 files changed · +31 3
  • extensions/qa-lab/src/cli.runtime.test.ts+16 0 modified
    @@ -289,6 +289,22 @@ describe("qa cli runtime", () => {
     });
   });
 
+  it("accepts openclaw as a runtime-pair suite alias", async () => {
+    await runQaSuiteCommand({
+      repoRoot: "/tmp/openclaw-repo",
+      providerMode: "mock-openai",
+      scenarioIds: ["approval-turn-tool-followthrough"],
+      runtimePair: "openclaw,codex",
+    });
+
+    expect(runQaSuiteFromRuntime).toHaveBeenCalledWith(
+      expect.objectContaining({
+        repoRoot: path.resolve("/tmp/openclaw-repo"),
+        runtimePair: ["pi", "codex"],
+      }),
+    );
+  });
+
   it("drops blank suite model refs so provider defaults apply", async () => {
     await runQaSuiteCommand({
       repoRoot: "/tmp/openclaw-repo",
  • extensions/qa-lab/src/cli.runtime.ts+15 3 modified
    @@ -169,6 +169,16 @@ function normalizeQaOptionalModelRef(input: string | undefined) {
   return model && model.length > 0 ? model : undefined;
 }
 
+function normalizeQaRuntimePairId(value: string): RuntimeId | undefined {
+  if (value === "openclaw" || value === "pi") {
+    return "pi";
+  }
+  if (value === "codex") {
+    return "codex";
+  }
+  return undefined;
+}
+
 function parseQaRuntimePair(value: string | undefined): [RuntimeId, RuntimeId] | undefined {
   if (!value?.trim()) {
     return undefined;
@@ -180,9 +190,11 @@ function parseQaRuntimePair(value: string | undefined): [RuntimeId, RuntimeId] |
   if (parts.length !== 2) {
     throw new Error('--runtime-pair must use exactly two runtimes, e.g. "pi,codex".');
   }
-  const [left, right] = parts;
-  if ((left !== "pi" && left !== "codex") || (right !== "pi" && right !== "codex")) {
-    throw new Error('--runtime-pair only supports "pi" and "codex".');
+  const [rawLeft, rawRight] = parts;
+  const left = normalizeQaRuntimePairId(rawLeft);
+  const right = normalizeQaRuntimePairId(rawRight);
+  if (!left || !right) {
+    throw new Error('--runtime-pair only supports "pi", "openclaw", and "codex".');
   }
   if (left === right) {
     throw new Error("--runtime-pair must compare two different runtimes.");

Vulnerability mechanics

Root cause

"Missing input normalization in the runtime-pair parser allowed unvalidated alias identifiers to be used during node pairing reconnection, enabling a node to claim an authority scope it did not possess."

Attack vector

An attacker can supply an unexpected runtime alias (such as ``openclaw``) as part of a node pairing reconnection payload. Because the original code only checked for literal ``pi`` or ``codex`` values, it would reject the alias outright—but the new normalization function maps ``openclaw`` to ``pi`` without verifying that the node actually holds ``pi`` level authority. This allows a malicious node to present a broader authority scope than intended, bypassing approval restrictions [patch_id=5752420]. The attack is network-reachable, requires no authentication, and can compromise confidentiality, integrity, and availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected code

The vulnerability affects the runtime-pair validation logic in `extensions/qa-lab/src/cli.runtime.ts`. The functions `parseQaRuntimePair` and the newly introduced `normalizeQaRuntimePairId` control which runtime identifiers are accepted during node pairing reconnection. The patch also adds a corresponding test in `extensions/qa-lab/src/cli.runtime.test.ts`.

What the fix does

The patch adds a `normalizeQaRuntimePairId` function that maps known aliases (``openclaw`` → ``pi``) to the canonical runtime identifier before the validation check. The `parseQaRuntimePair` function now calls this normalizer on each part of the pair and rejects any value that does not normalize to a valid runtime. This ensures that an attacker cannot inject an alias that is accepted as a valid but unchecked identifier, closing the state-mutation avenue that allowed approval-scope confusion.

Preconditions

  • networkAttacker must be able to send a node pairing reconnection request that includes a runtime-pair value (e.g. ``openclaw`` as an identifier).
  • authNo authentication is required; the attack can be performed by any unauthenticated network actor.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.