CVE-2026-53843

Vulnerability

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation [1][2]. The flaw resides in the WebSocket node-level authorization mechanism: when a device’s node token is revoked, the paired device may still hold a live session with pairing-related scope, allowing it to regain node-level access without renewed approval [1]. Affected configurations require an already paired device that keeps a same-device session with pairing scope after its node token is revoked [1].

Exploitation

An attacker requires a device that was previously paired and maintains an active pairing-scoped session. After the node token for that device is revoked (e.g., by an operator), the surviving session can re-establish the revoked token authority [1][2]. The attacker does not need to perform any additional authentication or user interaction; the stale session persists and is reused to regain WebSocket access [1].

Impact

Successful exploitation allows the attacker to regain WebSocket node-level access to the gateway without renewed approval, effectively bypassing token revocation [1][2]. This weakens the revocation control as an operator mechanism and can maintain unauthorized node-level access longer than intended [1]. The impact is limited to devices that already had a legitimate pairing/session foothold; unauthenticated device creation is not possible [1].

Mitigation

The first stable patched version is 2026.5.26 [1]. Users should upgrade to openclaw@2026.5.26 or later. If a node token was revoked on an older version, restart the gateway and remove/re-pair the affected device to ensure no stale session remains active [1]. No workaround is available beyond the upgrade and manual cleanup steps.