CVE-2026-53847
Received Received - Intake
Privilege Escalation in OpenClaw via Insufficient Scope Validation

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53847
EUVD
EUVD-2026-37149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53847 is a privilege escalation vulnerability in OpenClaw versions before 2026.5.6. It arises from improper scope validation in the Active Memory write functionality. This flaw allows Gateway operators who have operator.write access to modify global configuration settings without needing operator.admin privileges.

Attackers exploiting this vulnerability can bypass intended restrictions and apply unauthorized configuration changes beyond their designated write scope, potentially affecting the system's configuration integrity.

Impact Analysis

This vulnerability can allow an attacker with operator.write access to escalate their privileges by modifying global configuration settings without proper authorization.

  • Unauthorized changes to global configuration can lead to system misconfiguration.
  • Potential reduction in system integrity and availability due to unauthorized configuration changes.
  • No direct impact on confidentiality has been observed.

The actual impact depends on the operator configuration and whether lower-trust inputs can reach the affected functionality.

Mitigation Strategies

To mitigate the CVE-2026-53847 vulnerability in OpenClaw, you should take the following immediate steps:

  • Upgrade OpenClaw to version 2026.5.6 or later, where the vulnerability is patched.
  • Limit Active Memory write access strictly to trusted operators.
  • Keep channel and tool allowlists narrow to reduce exposure.
  • Avoid sharing Gateways between untrusted users.
  • Disable the Active Memory write feature if it is not necessary.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart