CVE-2026-53847
Description
OpenClaw before 2026.5.6 allows privilege escalation via Active Memory write scope, enabling operator.write users to modify global config without admin privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClaw before 2026.5.6 allows privilege escalation via Active Memory write scope, enabling operator.write users to modify global config without admin privileges.
Vulnerability
OpenClaw before version 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope. Gateway operators with operator.write access can modify global configuration without requiring operator.admin privileges due to insufficient scope validation [1][2].
Exploitation
An attacker with network access and operator.write privileges can exploit the insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope. No other prerequisites are required [1][2].
Impact
Successful exploitation allows the attacker to change global configuration, leading to privilege escalation. The practical impact depends on the operator's configuration and whether lower-trust input can reach the affected path [1].
Mitigation
The vulnerability is fixed in OpenClaw version 2026.5.6. As a workaround, limit Active Memory write access to trusted operators and disable the feature when not needed [1].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.