CVE-2026-53817
Analyzed Analyzed - Analysis Complete

Locality Validation Bypass in OpenClaw Control UI

Vulnerability report for CVE-2026-53817, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: VulnCheck

Description

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.22 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.5.22 and involves a flaw in the Control UI pairing process. Specifically, it is a locality validation vulnerability that allows attackers who have network access to spoof locality information. By doing so, attackers can obtain durable device tokens that grant administrative capabilities.

The core issue is insufficient validation of trust based on locality, which enables attackers to convert temporary shared access tokens into persistent administrative credentials. These credentials remain valid even after token rotation, allowing continued unauthorized access.

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to gain persistent administrative access to devices running OpenClaw. With such access, attackers can control the device, potentially manipulate its functions, access sensitive data, or disrupt operations.

Because the administrative credentials obtained are durable and survive token rotation, the attacker’s access is long-lasting and difficult to revoke, increasing the risk and severity of compromise.

Compliance Impact

The vulnerability allows attackers to obtain persistent administrative credentials by spoofing locality information, which can lead to unauthorized access and control over devices.

Such unauthorized access and potential compromise of device integrity and availability could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Specifically, the flaw undermines authentication and access control mechanisms, increasing the risk of data breaches or unauthorized data manipulation, which are critical concerns under these regulations.

Mitigation Strategies

To mitigate the vulnerability in OpenClaw before version 2026.5.22, you should upgrade to the patched version 2026.5.22.

Additionally, remove any unexpected paired devices manually to invalidate persistent admin-capable tokens that may have been created by exploiting the vulnerability.

Restrict Control UI pairing paths from untrusted networks to reduce the risk of locality spoofing attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart