CVE-2026-53848
Awaiting Analysis Awaiting Analysis - Queue

OpenClaw Exec Allowlist Bypass via Wrapper Manipulation

Vulnerability report for CVE-2026-53848, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description

OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-07
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53848 is a vulnerability in OpenClaw versions before 2026.5.26 where the exec allowlist can be bypassed by authenticated operators. This happens because transparent command wrappers execute side effects outside the intended allowlisted command scope. Attackers can craft command requests that bypass the allowlist validation, causing unintended operations to be executed beyond the allowed commands.

The issue is related to the exec allowlist feature not fully accounting for side effects caused by wrapper commands, allowing these wrappers to perform actions outside the intended command intent.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-53848 on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow authenticated operators to execute unintended operations outside the scope of allowed commands, potentially leading to unauthorized side effects on the system.

The actual impact depends on the operator's configuration and whether lower-trust inputs can reach the affected exec allowlist path. If exploited, it could lead to unexpected command execution, which might affect system behavior or security.

Mitigations include reviewing wrapper commands carefully, requiring approval for shell-like wrappers, keeping allowlists narrow, avoiding shared Gateways between untrusted users, and disabling the affected feature if not needed.

Mitigation Strategies

To mitigate the CVE-2026-53848 vulnerability in OpenClaw, you should:

  • Review wrapper commands carefully to ensure they do not allow unintended side effects.
  • Require approval for any shell-like wrappers to prevent unauthorized command execution.
  • Keep channel and tool allowlists as narrow as possible to limit exposure.
  • Avoid sharing Gateways between untrusted users to reduce risk of exploitation.
  • Disable the affected exec allowlist feature if it is not necessary in your environment.

Additionally, upgrading to OpenClaw version 2026.5.26 or later, where this vulnerability is patched, is recommended.

Detection Guidance

Detection of CVE-2026-53848 involves reviewing command execution logs and monitoring for unexpected wrapper-level side effects that bypass the exec allowlist.

Since the vulnerability allows authenticated operators to execute unintended operations via transparent command wrappers, detection can focus on identifying commands that invoke wrappers outside the allowlisted commands.

Suggested steps include:

  • Audit and log all exec commands and their wrappers to identify any commands executed outside the allowlist.
  • Use system or application-level logging tools to track command invocations by authenticated operators.
  • Review wrapper scripts or commands for any side effects or operations that could be exploited.

Specific commands depend on your environment and logging setup, but examples might include:

  • Using shell history or audit logs (e.g., `ausearch` or `journalctl` on Linux) to find suspicious command executions.
  • Searching for wrapper invocations in logs, e.g., `grep` for known wrapper command names in system or application logs.

However, no explicit detection commands are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart