CVE-2026-53844

Vulnerability

OpenClaw versions before 2026.4.29 contain a session visibility check bypass in shared memory search [1][2]. The vulnerability affects the memory-wiki shared search path, where the session visibility guard is skipped, enabling authenticated callers to access memory entries without proper authorization. The affected feature must be enabled and reachable for exploitation [1].

Exploitation

An attacker must be an authenticated caller able to search shared memory [1]. With network access (CVSS:4.0/AV:N) and low privileges (PR:L), the attacker can trigger the search path that misses the session visibility check, bypassing authorization controls [2]. No user interaction or complex attack sequence is required, but attack complexity is assessed as low (AC:L) with attack prerequisites (AT:P) [2].

Impact

Successful exploitation allows retrieval of memory entries that should not be visible to the attacker's session, leading to high confidentiality impact (VC:H) [1][2]. The vulnerability does not affect integrity or availability [2]. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path [1]. The vulnerability is scoped to the named feature and does not alter OpenClaw's trusted-operator model [1].

Mitigation

A patch was released in version 2026.4.29 [1][2]. Mitigations include limiting shared memory search to trusted operators until patched, keeping channel and tool allowlists narrow, avoiding shared Gateway instances between mutually untrusted users, and disabling the affected feature when not needed [1]. The vulnerability is not listed on the CISA KEV.