CVE-2026-53848

Vulnerability

OpenClaw versions before 2026.5.26 contain an exec allowlist bypass vulnerability (CWE-184) [1][2]. The flaw resides in the command execution allowlist mechanism, where a command request that reaches the exec allowlist path is evaluated against the inner command while the wrapper invocation still executes. This allows authenticated operators to craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations outside the intent of the allowlisted command [1].

Exploitation

An attacker must be an authenticated operator with access to the affected feature and configuration [1]. The attacker can craft a command request that uses a transparent command wrapper to execute wrapper-level side effects that are not covered by the allowlist validation. The vulnerability is reachable when the affected feature is enabled and the operator can send requests to that path [1]. No user interaction beyond authentication is required; the attack vector is network-based with low attack complexity and low privileges required (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N) [2].

Impact

Successful exploitation allows the attacker to perform wrapper-level side effects outside the intended scope of the allowlisted command [1]. The impact is limited to integrity (low) with no confidentiality or availability impact (CVSS v4: VI:L, VC:N, VA:N) [2]. The practical impact depends on the operator's configuration and whether lower-trust input can reach that path [1]. The vulnerability does not change OpenClaw's trusted-operator model; authenticated Gateway operators remain trusted unless a separate policy boundary is crossed [1].

Mitigation

The first stable patched version is 2026.5.26 [1]. Users should upgrade to this version or later. As a workaround, review wrapper commands carefully and require approval for shell-like wrapper usage until patched [1]. Additional mitigations include keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when not needed [1]. No KEV listing is mentioned.