{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/admin-access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-53817"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openclaw (\u003c 2026.5.22)"],"_cs_severities":["high"],"_cs_tags":["authentication","vulnerability","admin-access","persistence","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity authentication bypass vulnerability, identified as CVE-2026-53817, exists in \u003ccode\u003eopenclaw\u003c/code\u003e versions prior to \u003ccode\u003e2026.5.22\u003c/code\u003e. This flaw affects deployments leveraging LAN-bound gateways or shared-token Control UI access, where locality signals are implicitly trusted during the pairing process. An attacker who has already established network or authentication foothold to reach the Control UI pairing path can exploit this vulnerability. By spoofing specific locality information, the attacker can trick the system into issuing a durable admin-capable device token. This token provides persistent administrative access, which remains valid even after the initial temporary or shared gateway tokens are rotated. This poses a significant risk as it allows unauthorized, long-term administrative control over affected OpenClaw instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains an initial network or authentication foothold, enabling them to access the OpenClaw Control UI pairing path.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a device pairing request to the vulnerable OpenClaw Control UI instance.\u003c/li\u003e\n\u003cli\u003eDuring the pairing process, the attacker crafts and sends requests that include spoofed or manipulated locality information.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenClaw Control UI, versions prior to \u003ccode\u003e2026.5.22\u003c/code\u003e, improperly validates these spoofed locality signals.\u003c/li\u003e\n\u003cli\u003eDue to the misinterpretation of the locality signals, the OpenClaw instance grants the attacker a durable admin-capable device token.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes this newly acquired durable device token to establish and maintain persistent administrative access to the Control UI.\u003c/li\u003e\n\u003cli\u003eThis persistent access remains effective even if the original temporary or shared gateway tokens, which might have initially granted the attacker their foothold, are subsequently revoked or rotated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53817 can lead to persistent administrative control over affected OpenClaw Control UI instances. The primary observed damage is the ability to transform temporary or shared access into a long-lasting, unauthorized administrative presence. While the specific number of victims or targeted sectors is not provided, any organization utilizing \u003ccode\u003eopenclaw\u003c/code\u003e in LAN/shared-token configurations is at risk. If exploited, an attacker gains full administrative capabilities, potentially leading to unauthorized configuration changes, data manipulation, or further compromise of integrated systems managed by the Control UI. The durable nature of the token means access persists even after initial entry vectors are mitigated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-53817\u003c/strong\u003e: Immediately upgrade affected \u003ccode\u003eopenclaw\u003c/code\u003e installations to version \u003ccode\u003e2026.5.22\u003c/code\u003e or later to remediate CVE-2026-53817.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Network Segmentation\u003c/strong\u003e: Ensure that Control UI pairing paths are not exposed on networks accessible to untrusted clients, as described in the summary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Paired Devices\u003c/strong\u003e: For older deployments, regularly review and remove any unexpected or unauthorized paired devices from the Control UI configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:16:53Z","date_published":"2026-07-03T12:16:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-locality-spoofing/","summary":"An authentication bypass vulnerability (CVE-2026-53817) in OpenClaw's Control UI pairing mechanism allows an attacker with existing network/authentication foothold in LAN/shared-token deployments to spoof locality information, leading to the acquisition of a durable admin-capable device token that grants persistent administrative access, even after shared gateway tokens are rotated.","title":"OpenClaw Control UI Locality Spoofing Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-locality-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed - Admin-Access","version":"https://jsonfeed.org/version/1.1"}