OpenClaw: 25 CVEs Disclosed in Largest Security Batch, Including Code Execution and Critical Auth Bypass
Key findings • 25 CVEs disclosed across June 11-12, 2026 — largest security update in OpenClaw history • One Critical-severity flaw (CVE-2026-53838, CVSS 9.8) — node pairing reconnection …
Key findings
- 25 CVEs disclosed across June 11-12, 2026 — largest security update in OpenClaw history
- One Critical-severity flaw (CVE-2026-53838, CVSS 9.8) — node pairing reconnection state mutation
- At least 8 authorization bypass CVEs covering slash commands, native commands, and loopback paths
- Code execution via skill install .env overrides (CVE-2026-53819, CVSS 8.8) and shell wrapper argv mutation (CVE-2026-53822)
- All vulnerabilities fixed in OpenClaw 2026.5.27; no active exploitation reported
- Bugs span identity spoofing, token revocation bypass, credential exposure, and approval display truncation
On June 11–12, 2026, the OpenClaw project disclosed a batch of 25 security vulnerabilities, the largest coordinated security update in the open-source AI agent orchestration platform's history. The bugs span authorization bypass, privilege escalation, code execution, and policy evasion flaws, all affecting versions prior to the 2026.5.27 release. Given OpenClaw's role as a bridge between large language models and system infrastructure, the breadth of flaws raises significant concerns about trust boundaries in agent workflows.
Critical Flaw: State Mutation in Node Pairing
The batch includes a single Critical-severity vulnerability, CVE-2026-53838 (CVSS 9.8), a state mutation bug in node pairing reconnection. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions entirely. This flaw stands out as the most severe in the batch, representing a fundamental trust failure in the pairing handshake.
Code Execution and Command Injection
Several High-severity bugs create direct code execution paths. CVE-2026-53819 (CVSS 8.8) allows arbitrary code execution during skill install flows, where workspace .env files can override the Homebrew executable selection. CVE-2026-53822 (CVSS 8.8) is a command injection vulnerability where shell wrapper argv can change between approval and execution, letting attackers rebuild command arguments after allowlist approval to execute unapproved command shapes. CVE-2026-53831 (CVSS 8.3) exploits shell metacharacters in approved commands to read unintended node-local files.
Authorization Bypass Clusters
The largest single theme is authorization bypass, with at least eight CVEs covering distinct bypass vectors:
- Slash command bypass:
CVE-2026-53834(CVSS 7.5, High) allows authenticated senders to skipallowFrompolicy checks via QQBot pre-dispatch slash commands.CVE-2026-53833(CVSS 7.7, High) targets the QQBot streaming command for configuration mutation outside admin policy. - Native command bypass:
CVE-2026-53828(CVSS 8.8, High) lets authenticated senders execute owner-only commands without proper policy enforcement. - Loopback path bypass:
CVE-2026-53818(CVSS 6.6, Medium) allows non-owner callers to skip owner-only tool policies and before-tool-call hooks via the MCP loopback feature.CVE-2026-53820(CVSS 6.6, Medium) bypasses command denylists in the bundle MCP session-spawn path. - Channel policy bypass:
CVE-2026-53815(CVSS 6.5, Medium) skips channel allowlist checks in message read actions.CVE-2026-53837(CVSS 3.7, Low) bypasses DM policy by exploiting missing channel type metadata in Mattermost events. - Dynamic binding bypass:
CVE-2026-53835(CVSS 4.3, Medium) allows Feishu dynamic-agent bindings to ignore configured config-write controls.
Privilege Escalation and Identity Spoofing
CVE-2026-53823 (CVSS 8.1, High) is a novel privilege escalation bug where the allowFrom feature binds to mutable Slack display names — attackers can change their Slack display name to match policy entries and gain unauthorized agent access. CVE-2026-53832 (CVSS 7.7, High) lets local same-host callers forge trusted-proxy identity headers to assume operator identity. CVE-2026-53821 (CVSS 8.8, High) accepts WebSocket client-declared operator scopes before binding to server-approved pairing, allowing unpaired clients to obtain cached operator.admin authority.
Authentication Material Exposure
CVE-2026-53839 (CVSS 6.5, Medium) is a hostname validation vulnerability in retry endpoint checks that matches hostname prefixes instead of exact hostnames, potentially sending authentication material to untrusted endpoints. CVE-2026-53827 (CVSS 6.5, Medium) exposes Gateway credentials when model-controlled metadata forwards action payloads to attacker-supplied loopback URLs.
Token and Secret Revocation Failures
CVE-2026-53830 (CVSS 6.5, Medium) allows old Slack and Zalo webhook secrets to remain active after secrets.reload, giving attackers a stale-secret window to deliver webhook events. CVE-2026-53824 (CVSS 6.5, Medium) lets callers with revoked slash tokens continue executing commands during monitor refresh windows.
Additional High-Impact Flaws
CVE-2026-53829 (CVSS 8.0, High) is an approval display truncation vulnerability — authenticated users can submit oversized exec commands with benign prefixes and malicious suffixes that get hidden from approvers. CVE-2026-53817 (CVSS 8.8, High) lets attackers with network access spoof locality information during Control UI pairing to obtain durable admin-capable device tokens. CVE-2026-53816 (CVSS 7.2, High) allows paired nodes to forge exec lifecycle events without system.run authorization. CVE-2026-53825 (CVSS 6.5, Medium) enables arbitrary file read via the memory-wiki ingest feature for authenticated Gateway operators with operator.write scope. CVE-2026-53826 (CVSS 4.3, Medium) exposes the real workspace path to child prompts in sandboxed session spawning. CVE-2026-53836 (CVSS 8.8, High) bypasses the PowerShell encoded-command allowlist by using unrecognized abbreviated flag aliases.
Response and Patch Status
All 25 vulnerabilities are fixed in OpenClaw 2026.5.27 and later releases, according to the vendor. Vypr Intelligence, which covered the initial batch of 14 CVEs disclosed on June 11, noted that no active exploitation had been reported at the time of disclosure. The disclosure spans five release versions of OpenClaw (2026.4.7 through 2026.5.22), meaning users on versions prior to 2026.5.27 are vulnerable to all bugs introduced since their respective affected versions.
Why This Matters
This batch is the most significant coordinated security update in OpenClaw's history, reflecting the complexity of securing an AI agent orchestration platform that bridges LLMs, chat platforms, and system infrastructure. The diversity of bypasses — from display-name spoofing to stale-token acceptance to shell expansion — shows how many trust assumptions are embedded across the platform's integration points. Users should prioritize upgrading to 2026.5.27 to close all disclosed attack paths. Given OpenClaw's role in handling privileged operations and credentials, the lack of active exploitation reports should not invite complacency; the technical depth of the flaws makes them attractive targets for actor analysis.