CVE-2026-53855
Received Received - Intake
Inline-Eval Bypass in OpenClaw

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53855
EUVD
EUVD-2026-37157
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53855 is a vulnerability in OpenClaw versions before 2026.4.2 that allows authenticated operators to bypass strict inline-eval allowlist checks by exploiting shell positional parameters.

Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers that are not covered by the allowlist rules, enabling execution of unapproved shell-provided content.

This issue arises from incomplete input validation and incorrect authorization, allowing command injection outside intended restrictions.

Impact Analysis

If exploited, this vulnerability can allow an attacker with authenticated operator access to execute unauthorized shell commands by bypassing strict allowlist rules.

This could lead to improper privilege management, improper access control, and execution of potentially harmful commands outside the intended security boundaries.

The impact depends on the operator's configuration and whether lower-trust input can reach the vulnerable path.

Mitigation Strategies

To mitigate the vulnerability in OpenClaw versions prior to 2026.4.2, you should take the following immediate steps:

  • Avoid allowlisting shell carrier patterns.
  • Require approval for shell wrappers until the system is patched.
  • Keep channel and tool allowlists as narrow as possible.
  • Avoid sharing Gateways between untrusted users.
  • Disable the affected feature if it is unnecessary.

Additionally, upgrading to OpenClaw version 2026.4.2 or later, where this vulnerability is patched, is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart