{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aopenclawopenclawnode.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53810"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/openclaw (\u003c 2026.5.18)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","code-execution","nodejs","npm"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-53810, has been identified in \u003ccode\u003enpm/openclaw\u003c/code\u003e versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e. This flaw resides within the marketplace runtime extension metadata, allowing a malicious package to point to unscanned payloads. When a trusted operator installs such a specially crafted package, the OpenClaw Gateway's runtime loading mechanism can be redirected to execute hidden content that has bypassed expected security scans. This means plugin code could be loaded and executed outside of its reviewed package entry points, creating an avenue for unauthorized code execution. The practical impact hinges on the specific operator's configuration and whether lower-trust input can reach the vulnerable path. While this advisory emphasizes that OpenClaw's trusted-operator model remains, this specific misconfiguration introduces a significant risk if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenClaw package containing legitimate-looking components alongside hidden malicious code and specially forged marketplace runtime extension metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious package (e.g., via social engineering, compromise of a trusted source, or supply chain infiltration) to an organization using OpenClaw Gateway.\u003c/li\u003e\n\u003cli\u003eA trusted operator, unaware of the hidden malicious content, initiates the installation of the seemingly benign package within the OpenClaw Gateway environment.\u003c/li\u003e\n\u003cli\u003eDuring the installation process, the vulnerable OpenClaw Gateway (versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e) processes the malicious marketplace runtime extension metadata.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2026-53810, this metadata redirects the runtime loading mechanism to the hidden, unscanned malicious code within the package.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw Gateway inadvertently loads and executes the malicious plugin code, bypassing its standard security review and scanning procedures.\u003c/li\u003e\n\u003cli\u003eThe executed malicious code operates within the trusted context of the OpenClaw Gateway, potentially allowing for arbitrary command execution, data exfiltration, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53810 could lead to unauthorized code execution within the trusted environment of an OpenClaw Gateway. If the affected feature is enabled and reachable, attackers could leverage this vulnerability to bypass security scans and load arbitrary plugin code, potentially leading to privilege escalation, data theft, or complete system compromise. The severity of the impact depends heavily on the specific configuration of the operator's OpenClaw environment and the sensitivity of the data and systems accessible by the Gateway.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-53810 by immediately upgrading \u003ccode\u003enpm/openclaw\u003c/code\u003e to version \u003ccode\u003e2026.5.18\u003c/code\u003e or higher to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, implement strict allowlists for all plugins installed on OpenClaw Gateways and explicitly define allowed channels and tools.\u003c/li\u003e\n\u003cli\u003eDisable the marketplace runtime extension feature if it is not explicitly required for your operational needs to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eAvoid sharing a single OpenClaw Gateway between mutually untrusted users or environments as a general hardening measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:18:41Z","date_published":"2026-07-03T12:18:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-unscanned-payloads/","summary":"A high-severity vulnerability, CVE-2026-53810, in OpenClaw's marketplace runtime extension metadata allows an attacker to craft a malicious package that, when installed by a trusted operator, redirects runtime loading to hidden, unscanned code, potentially leading to unauthorized code execution and bypassing security checks.","title":"OpenClaw Vulnerability Allows Loading of Unscanned Payloads via Malicious Metadata","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-unscanned-payloads/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53817"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openclaw (\u003c 2026.5.22)"],"_cs_severities":["high"],"_cs_tags":["authentication","vulnerability","admin-access","persistence","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity authentication bypass vulnerability, identified as CVE-2026-53817, exists in \u003ccode\u003eopenclaw\u003c/code\u003e versions prior to \u003ccode\u003e2026.5.22\u003c/code\u003e. This flaw affects deployments leveraging LAN-bound gateways or shared-token Control UI access, where locality signals are implicitly trusted during the pairing process. An attacker who has already established network or authentication foothold to reach the Control UI pairing path can exploit this vulnerability. By spoofing specific locality information, the attacker can trick the system into issuing a durable admin-capable device token. This token provides persistent administrative access, which remains valid even after the initial temporary or shared gateway tokens are rotated. This poses a significant risk as it allows unauthorized, long-term administrative control over affected OpenClaw instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains an initial network or authentication foothold, enabling them to access the OpenClaw Control UI pairing path.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a device pairing request to the vulnerable OpenClaw Control UI instance.\u003c/li\u003e\n\u003cli\u003eDuring the pairing process, the attacker crafts and sends requests that include spoofed or manipulated locality information.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenClaw Control UI, versions prior to \u003ccode\u003e2026.5.22\u003c/code\u003e, improperly validates these spoofed locality signals.\u003c/li\u003e\n\u003cli\u003eDue to the misinterpretation of the locality signals, the OpenClaw instance grants the attacker a durable admin-capable device token.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes this newly acquired durable device token to establish and maintain persistent administrative access to the Control UI.\u003c/li\u003e\n\u003cli\u003eThis persistent access remains effective even if the original temporary or shared gateway tokens, which might have initially granted the attacker their foothold, are subsequently revoked or rotated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53817 can lead to persistent administrative control over affected OpenClaw Control UI instances. The primary observed damage is the ability to transform temporary or shared access into a long-lasting, unauthorized administrative presence. While the specific number of victims or targeted sectors is not provided, any organization utilizing \u003ccode\u003eopenclaw\u003c/code\u003e in LAN/shared-token configurations is at risk. If exploited, an attacker gains full administrative capabilities, potentially leading to unauthorized configuration changes, data manipulation, or further compromise of integrated systems managed by the Control UI. The durable nature of the token means access persists even after initial entry vectors are mitigated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-53817\u003c/strong\u003e: Immediately upgrade affected \u003ccode\u003eopenclaw\u003c/code\u003e installations to version \u003ccode\u003e2026.5.22\u003c/code\u003e or later to remediate CVE-2026-53817.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Network Segmentation\u003c/strong\u003e: Ensure that Control UI pairing paths are not exposed on networks accessible to untrusted clients, as described in the summary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Paired Devices\u003c/strong\u003e: For older deployments, regularly review and remove any unexpected or unauthorized paired devices from the Control UI configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:16:53Z","date_published":"2026-07-03T12:16:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-locality-spoofing/","summary":"An authentication bypass vulnerability (CVE-2026-53817) in OpenClaw's Control UI pairing mechanism allows an attacker with existing network/authentication foothold in LAN/shared-token deployments to spoof locality information, leading to the acquisition of a durable admin-capable device token that grants persistent administrative access, even after shared gateway tokens are rotated.","title":"OpenClaw Control UI Locality Spoofing Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-locality-spoofing/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53811"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/openclaw (\u003c= 2026.5.6)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","matrix","openclaw","npm"],"_cs_type":"threat","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA significant vulnerability, tracked as CVE-2026-53811, has been identified in OpenClaw's Matrix \u003ccode\u003eallowFrom\u003c/code\u003e feature, affecting versions up to \u003ccode\u003e2026.5.6\u003c/code\u003e. This flaw allows a Matrix account with the ability to change its display name to bypass security policies by having its mutable display metadata match an entry in an allowlist. This misconfiguration can lead to unauthorized agent access, where permissions intended for a legitimate Matrix identity are mistakenly granted to an attacker-controlled account. The issue arises when the affected feature is enabled and reachable, particularly when lower-trust input can influence the path that leads to policy matching. While this vulnerability does not alter OpenClaw's trusted-operator model, its practical impact is highly dependent on the operator's specific configuration and the sensitivity of the agent access granted.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhen this vulnerability is present and actively exploited, and the affected feature is enabled and reachable by untrusted input, it could allow an attacker to gain unauthorized agent access that was intended for a different, legitimate Matrix identity. The practical severity of this impact is directly tied to an organization's specific configuration of OpenClaw, the types of agents and permissions managed by the vulnerable \u003ccode\u003eallowFrom\u003c/code\u003e feature, and whether lower-trust users or external inputs can interact with this path. Successful exploitation could lead to data compromise, unauthorized operations, or broader system access, depending on the privileges associated with the hijacked agent identity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-53811 immediately:\u003c/strong\u003e Upgrade all instances of \u003ccode\u003enpm/openclaw\u003c/code\u003e to version \u003ccode\u003e2026.5.7\u003c/code\u003e or newer to remediate CVE-2026-53811.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement policy hardening:\u003c/strong\u003e Until patching is complete, configure allowlists using stable Matrix user IDs (e.g., \u003ccode\u003e@user:matrix.org\u003c/code\u003e) instead of mutable display names.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict access:\u003c/strong\u003e Review and narrow channel and tool allowlists to the absolute minimum necessary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIsolate environments:\u003c/strong\u003e Avoid sharing a single OpenClaw Gateway between mutually untrusted users or departments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable unnecessary features:\u003c/strong\u003e Disable the \u003ccode\u003eallowFrom\u003c/code\u003e feature if it is not explicitly required for operational purposes, removing the attack surface for CVE-2026-53811.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:13:27Z","date_published":"2026-07-03T12:13:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-matrix-vulnerability/","summary":"A high-severity vulnerability (CVE-2026-53811) in OpenClaw's Matrix `allowFrom` feature allows threat actors to exploit mutable display names to match policy entries, potentially granting unauthorized agent access intended for another Matrix identity.","title":"OpenClaw Matrix allowFrom Vulnerability (CVE-2026-53811)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-matrix-vulnerability/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53819"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (\u003c 2026.5.27)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","homebrew","supply-chain","macos","linux"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eThe OpenClaw platform is affected by CVE-2026-53819, a high-severity vulnerability enabling a malicious \u003ccode\u003e.env\u003c/code\u003e file in a repository to manipulate the Homebrew executable selection during skill installation flows. Published by GHSA on July 2, 2026, this flaw permits the OpenClaw install helper to use an attacker-controlled Homebrew-compatible binary instead of the legitimate one. This occurs when a trusted operator opens an affected workspace and initiates a skill installation. The vulnerability, present in OpenClaw versions prior to 2026.5.27, affects macOS and Linux systems and poses a significant risk for arbitrary code execution, bypassing established security controls and potentially compromising the operator's environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious repository that includes a \u003ccode\u003e.env\u003c/code\u003e file designed to alter environment variables that influence Homebrew's path resolution.\u003c/li\u003e\n\u003cli\u003eThe attacker socially engineers a trusted OpenClaw operator to clone and open this malicious repository within their development workspace.\u003c/li\u003e\n\u003cli\u003eThe trusted operator initiates a skill install flow within the newly opened, compromised workspace.\u003c/li\u003e\n\u003cli\u003eDuring the install process, the OpenClaw install helper parses the malicious \u003ccode\u003e.env\u003c/code\u003e file, causing it to load an incorrect or attacker-controlled path for the Homebrew executable.\u003c/li\u003e\n\u003cli\u003eInstead of executing the legitimate Homebrew binary, the system invokes an attacker-controlled Homebrew-compatible executable, which was likely bundled within the malicious repository.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled executable runs with the operator's privileges, achieving arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003eThis execution could lead to system compromise, data exfiltration, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53819 could allow an attacker to run arbitrary code on a trusted operator's system, leading to full system compromise. The practical impact depends on the specific configuration of the operator's environment and the attacker's payload. If lower-trust input can reach the affected path, it increases the likelihood and severity of compromise. This vulnerability could be leveraged for initial access, privilege escalation, or establishing persistence within targeted development environments, potentially affecting intellectual property or critical infrastructure if operators with elevated access are targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch OpenClaw to version \u003ccode\u003e2026.5.27\u003c/code\u003e or newer to remediate CVE-2026-53819.\u003c/li\u003e\n\u003cli\u003eAvoid running skill install flows from untrusted workspaces until all OpenClaw instances are updated to the patched version \u003ccode\u003e2026.5.27\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs a general hardening measure, keep channel and tool allowlists narrow, as noted in the GHSA reference.\u003c/li\u003e\n\u003cli\u003eDisable the affected feature when it is not needed to reduce the attack surface for CVE-2026-53819.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:01:45Z","date_published":"2026-07-03T12:01:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-homebrew-override/","summary":"A high-severity vulnerability (CVE-2026-53819) in OpenClaw versions prior to 2026.5.27 allows a malicious `.env` file within a repository to override the Homebrew executable selection during skill installation flows, potentially leading to arbitrary code execution on trusted operator systems running macOS or Linux.","title":"OpenClaw Workspace .env Homebrew Executable Override Vulnerability (CVE-2026-53819)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-homebrew-override/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-53813"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (\u003c= 2026.4.24)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","npm","node.js","openclaw"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-53813, has been identified in OpenClaw (npm/openclaw package) affecting versions up to and including 2026.4.24. This flaw, dubbed \u0026quot;Fake package roots,\u0026quot; permits a local package root resolution path, influenced by workspace state, to select and load memory-core artifacts from an unintended local location rather than the intended bundled artifact root. The practical impact hinges on the operator's specific configuration and the ability for lower-trust input to reach the vulnerable path. While OpenClaw generally operates on a trusted-operator model, this specific feature, if enabled and reachable, could bypass assumptions about artifact integrity. The issue was disclosed via GHSA on July 2, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThe provided source describes a vulnerability rather than a detailed, observed attack chain. Exploitation would likely involve an attacker providing malicious or crafted input to a Gateway operator's workspace, leveraging the \u0026quot;fake package root\u0026quot; vulnerability (CVE-2026-53813) to redirect artifact loading. The exact steps for achieving this depend on the specific configuration and how \u0026quot;lower-trust input\u0026quot; can be introduced into the environment. No specific steps for attacker actions are outlined in the advisory.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53813 could lead to the loading of arbitrary, unintended memory-core artifacts from a local file path. The actual damage incurred is highly dependent on the operator's environment and the nature of the unintended artifact loaded. If an attacker can inject malicious code via this mechanism, it could result in code execution within the context of the affected OpenClaw process, leading to data compromise, system manipulation, or further network lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch OpenClaw (npm/openclaw) to version \u003ccode\u003e2026.4.25\u003c/code\u003e or newer immediately to remediate CVE-2026-53813.\u003c/li\u003e\n\u003cli\u003eAs a mitigation for CVE-2026-53813, run memory-core flows only from trusted workspaces.\u003c/li\u003e\n\u003cli\u003eKeep channel and tool allowlists narrow to restrict potential attack surfaces as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eAvoid sharing a single OpenClaw Gateway between mutually untrusted users.\u003c/li\u003e\n\u003cli\u003eDisable the affected feature within OpenClaw if it is not explicitly required for operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:00:51Z","date_published":"2026-07-03T12:00:51Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-fake-package-roots/","summary":"A high-severity vulnerability, CVE-2026-53813, in npm/openclaw versions \u003c= 2026.4.24 allows fake package roots to influence memory-core artifact loading, potentially leading to the selection and execution of unintended local artifacts based on attacker-controlled or lower-trust input reaching the affected path.","title":"OpenClaw Vulnerability Allows Unintended Artifact Loading (CVE-2026-53813)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-fake-package-roots/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53806"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/openclaw (\u003c= 2026.5.7)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","shell","bypass","code-execution","linux","macos"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA significant vulnerability, identified as CVE-2026-53806, has been discovered in npm/openclaw versions up to \u003ccode\u003e2026.5.7\u003c/code\u003e. This flaw allows attackers to bypass a critical security control known as \u0026quot;exec revalidation\u0026quot; by presenting specially crafted input containing combined POSIX shell options. The core issue lies in how OpenClaw parses these combined shell flags, leading to a discrepancy between approval-time and execution-time shell option interpretations. This misinterpretation can allow inline shell content, which should otherwise be blocklisted or explicitly approved, to be executed without proper validation. The practical impact is severe, potentially enabling remote code execution, especially if untrusted user input can reach the affected execution path within the OpenClaw application. Defenders should prioritize patching and applying mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Input Delivery\u003c/strong\u003e: An attacker obtains the ability to provide user-controlled input to an OpenClaw application interface where the affected feature is enabled and reachable. This input could originate from a lower-trust source.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafted Input with Combined Shell Options\u003c/strong\u003e: The attacker crafts malicious input that includes combined POSIX shell options, designed to exploit the parsing vulnerability within OpenClaw.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Processing\u003c/strong\u003e: The OpenClaw application receives and begins to process the crafted input, which contains the malicious shell content alongside the confusing combined options.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExec Revalidation Confusion\u003c/strong\u003e: During the \u0026quot;exec revalidation\u0026quot; process, OpenClaw misinterprets the combined shell options, causing a discrepancy between its initial approval-time parsing and the actual execution-time parsing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAllowlist Bypass\u003c/strong\u003e: Due to the confusion, the security mechanism intended to validate and allowlist/blocklist shell content is bypassed, failing to correctly identify the malicious inline shell content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Shell Content Execution\u003c/strong\u003e: The previously unapproved or blocklisted inline shell content is executed on the underlying system, leveraging the permissions of the OpenClaw application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Command Execution\u003c/strong\u003e: The executed shell content performs arbitrary commands, potentially leading to system compromise, data manipulation, or further lateral movement within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhen this vulnerability, CVE-2026-53806, is exploited, it allows an attacker to execute arbitrary inline shell content without the intended allowlist validation. The practical impact on an organization is highly dependent on the specific configuration of the OpenClaw operator and whether input from lower-trust sources can reach the vulnerable execution path. If successfully exploited, attackers can bypass security controls designed to prevent unauthorized command execution, potentially leading to remote code execution (RCE), full system compromise, data exfiltration, or denial-of-service, depending on the attacker's executed commands.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-53806 immediately\u003c/strong\u003e by upgrading npm/openclaw to version \u003ccode\u003e2026.5.12\u003c/code\u003e or later.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAvoid combined shell option forms\u003c/strong\u003e in allowlisted commands within your OpenClaw configuration until the system is patched against CVE-2026-53806.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable the affected feature\u003c/strong\u003e within OpenClaw if it is not strictly needed for operational purposes, as a general hardening measure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKeep channel and tool allowlists narrow\u003c/strong\u003e in OpenClaw configurations, permitting only essential commands and trusted sources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAvoid sharing a single OpenClaw Gateway\u003c/strong\u003e between mutually untrusted users to limit the blast radius of potential exploitation of CVE-2026-53806.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:59:40Z","date_published":"2026-07-03T11:59:40Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-exec-revalidation-bypass/","summary":"A high-severity vulnerability, CVE-2026-53806, in npm/openclaw versions up to 2026.5.7, allows attackers to bypass 'exec revalidation' controls by confusing the application with combined POSIX shell options, leading to unauthorized inline shell content execution and potential remote code execution.","title":"OpenClaw Vulnerability Allows Execution Revalidation Bypass (CVE-2026-53806)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-exec-revalidation-bypass/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-53816"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/openclaw (\u003c 2026.5.18)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","server-side","npm"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-53816, has been identified in the npm/openclaw package, affecting all versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e. This flaw allows an attacker who has already gained control of a paired OpenClaw node to bypass security checks and forge \u003ccode\u003eexec\u003c/code\u003e lifecycle events. OpenClaw nodes typically send these lifecycle events to a central gateway. However, due to an insufficient provenance check in affected versions, the gateway accepts these forged events as legitimate execution results. This deception can lead the target session to process attacker-controlled data, exposing capabilities that the compromised node should not possess. This issue primarily impacts deployments where nodes can send crafted \u003ccode\u003enode.event\u003c/code\u003e messages to the gateway and the target agent/session processes exec lifecycle events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over an already paired OpenClaw node within the targeted environment.\u003c/li\u003e\n\u003cli\u003eThe compromised paired node crafts a malicious \u003ccode\u003enode.event\u003c/code\u003e message containing forged \u003ccode\u003eexec\u003c/code\u003e lifecycle event data.\u003c/li\u003e\n\u003cli\u003eThe forged event data is designed to mimic a legitimate \u003ccode\u003esystem.run\u003c/code\u003e request or other authorized execution.\u003c/li\u003e\n\u003cli\u003eThe compromised node sends this crafted \u003ccode\u003enode.event\u003c/code\u003e message to the OpenClaw gateway.\u003c/li\u003e\n\u003cli\u003eDue to a missing provenance check, the OpenClaw gateway accepts the forged \u003ccode\u003eexec\u003c/code\u003e lifecycle event without validating its origin or authorization.\u003c/li\u003e\n\u003cli\u003eThe gateway processes the attacker-supplied event data as if it were a legitimate execution result from an authorized \u003ccode\u003esystem.run\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThis process steers the target session into an exec-event path, exposing unauthorized capabilities to the compromised node.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation or unauthorized control over functionality that the node's reduced surface should not have provided.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-53816 enables a malicious or compromised OpenClaw node to gain unauthorized capabilities on the OpenClaw gateway and associated target sessions. By making the gateway treat attacker-supplied event data as legitimate execution results, the vulnerability effectively elevates the privileges of the compromised node beyond its intended scope. While it does not allow an unauthenticated caller to directly reach the gateway, it poses a significant threat in environments where an OpenClaw node has already been breached, potentially leading to broader system compromise and unauthorized data access or manipulation. Organizations with affected versions are at risk if any of their paired nodes are compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eopenclaw@2026.5.18\u003c/code\u003e or later immediately to patch CVE-2026-53816.\u003c/li\u003e\n\u003cli\u003eEnsure that all paired OpenClaw nodes originate from trusted and secured environments.\u003c/li\u003e\n\u003cli\u003eImplement a process to remove and re-pair any OpenClaw nodes that are suspected of being compromised.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:58:42Z","date_published":"2026-07-03T11:58:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-node-forgery/","summary":"A vulnerability, CVE-2026-53816, in npm/openclaw versions prior to 2026.5.18, allows a malicious or compromised paired node to forge 'exec' lifecycle events and send them to the gateway, which, due to a missing provenance check, accepts the attacker-supplied event data as legitimate execution results, leading to unauthorized capability exposure for the compromised node.","title":"OpenClaw Node Forgery via Missing Provenance Check (CVE-2026-53816)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-node-forgery/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","version":"https://jsonfeed.org/version/1.1"}