CVE-2026-53853
Description
OpenClaw before 2026.5.12 on Linux and macOS bypasses configured argument pattern restrictions in exec allowlists, allowing attackers to execute disallowed arguments for allowlisted executables.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClaw before 2026.5.12 on Linux and macOS bypasses configured argument pattern restrictions in exec allowlists, allowing attackers to execute disallowed arguments for allowlisted executables.
Vulnerability
OpenClaw versions before 2026.5.12 contain an argument pattern validation bypass in the exec allowlist feature on Linux and macOS systems. The allowlist supports optional argPattern entries to restrict arguments for an allowlisted executable. However, due to a missing check in the code path for Linux and macOS, the gateway skips argPattern validation and treats a matching executable path as sufficient to satisfy the allowlist. This affects deployments where tools.exec.security is set to allowlist, at least one allowlist entry uses argPattern, and the allowlisted executable accepts security-relevant arguments. Windows is not affected because the code path correctly applies argPattern checks [1][2].
Exploitation
An attacker who can influence a tool-enabled agent to call exec (e.g., an untrusted or lower-trust sender) can directly invoke an allowlisted executable with unrestricted arguments. The attacker does not need to bypass authentication or network access beyond the ability to send commands to the agent. By providing arbitrary arguments to an allowlisted executable such as git, python, node, bash, find, tar, or ssh, the attacker can trigger actions that the operator intended to restrict with argPattern [1].
Impact
Successful exploitation allows the attacker to execute disallowed arguments for the allowlisted executable, leading to unauthorized host-side file access, network access, or command execution. The impact depends on the specific executable and arguments used; for example, git could be used to clone repositories, python to execute arbitrary code, or ssh to connect to remote systems. This bypasses the approval prompt that would normally be required for such arguments, effectively elevating the attacker's control over the host [1][2].
Mitigation
The issue is fixed in OpenClaw version 2026.5.12. Users should upgrade to this version or later. As a workaround, operators can review their allowlist entries and consider using path-only allowlist entries (which intentionally allow any arguments) or restrict the executables that are allowlisted. No known public exploit code has been reported, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.