CVE-2026-53861
Awaiting Analysis Awaiting Analysis - Queue

OpenClaw macOS Swift exec Allowlist Bypass via Combined POSIX Flags

Vulnerability report for CVE-2026-53861, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-18

Assigner: VulnCheck

Description

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-18
Generated
2026-07-07
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to bypass intended allowlist restrictions and potentially execute unauthorized shell commands, which could lead to unauthorized access or modification of sensitive data depending on system configuration.

Such unauthorized command execution and potential data compromise could negatively impact compliance with standards like GDPR and HIPAA, which require protection of confidentiality and integrity of sensitive information.

However, the vulnerability requires local access, low privileges, and user interaction, and does not alter the trusted-operator model, meaning the risk depends heavily on the specific deployment and mitigation measures in place.

Mitigation steps such as restricting allowlists, avoiding shared gateways for untrusted users, and disabling the vulnerable feature when unnecessary are recommended to reduce compliance risks.

Executive Summary

CVE-2026-53861 is an allowlist bypass vulnerability in OpenClaw versions before 2026.5.6 affecting the macOS Swift exec feature. The vulnerability arises because the allowlist check misses combined POSIX inline-command flags, allowing attackers to execute shell commands outside the intended restrictions.

This means that by using combined flag forms, an attacker can bypass the security controls designed to restrict command execution, potentially running unauthorized commands depending on how the operator has configured the system.

Impact Analysis

This vulnerability can lead to unauthorized command execution on affected systems, which may compromise the confidentiality and integrity of data.

The CVSS scores indicate a moderate severity with potential high impact on confidentiality and integrity but no impact on availability.

Exploitation requires local access, low complexity, low privileges, and user interaction, meaning an attacker with limited access could still leverage this flaw if conditions are met.

Depending on the operator's configuration and the presence of lower-trust input reaching the vulnerable path, attackers might execute unauthorized shell commands, potentially leading to data exposure or manipulation.

Mitigation Strategies

To mitigate the vulnerability in OpenClaw before version 2026.5.6, you should upgrade to version 2026.5.6 or later where the issue is fixed.

  • Restrict channel and tool allowlists to reduce exposure.
  • Avoid using shared Gateways for untrusted users.
  • Disable the macOS Swift exec feature if it is not necessary.
Detection Guidance

Detection of CVE-2026-53861 involves identifying if your system is running OpenClaw versions before 2026.5.6 on macOS, particularly if the Swift exec feature with POSIX inline-command flags is enabled.

Since the vulnerability arises from allowlist bypass via combined POSIX inline-command flags, detection can focus on verifying the OpenClaw version and checking for usage of the vulnerable Swift exec feature.

Suggested commands to detect the vulnerable OpenClaw version include:

  • Check OpenClaw version installed via npm: `npm list openclaw` or `npm ls openclaw`
  • Check globally installed OpenClaw version: `npm list -g openclaw`
  • Search for usage of the Swift exec feature in your codebase or scripts that might invoke combined POSIX inline-command flags.

Additionally, monitoring logs or command executions that involve combined POSIX inline-command flags in Swift exec calls may help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart