Skip to main content

OpenClaw EUVD-2026-36323

| CVE-2026-53817 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-06-11 VulnCheck
Authentication Bypass Openclaw
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable pairing endpoint (AV:N), no special conditions beyond holding a temporary shared-access session (AC:L, PR:L), no user interaction, and full compromise of the vulnerable Control UI yielding admin tokens (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 21:22 vuln.today

DescriptionCVE.org

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.

AnalysisAI

Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information during Control UI device pairing and escalate temporary shared access into durable, admin-capable device tokens that persist across token rotation. The flaw stems from insufficient locality-derived trust validation (CWE-290), enabling lateral conversion of low-privilege sessions into persistent administrative credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain temporary shared access to Control UI
Delivery
Reach pairing endpoint over network
Exploit
Submit spoofed locality data during pairing
Execution
Receive durable admin-capable device token
Persist
Use token to perform privileged actions
Impact
Retain access across token rotation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the OpenClaw Control UI pairing endpoint and (2) possession of a temporary shared-access credential or session that is permitted to initiate device pairing - consistent with the CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) and base score of 8.7 reflect high impact across confidentiality, integrity, and availability of the vulnerable system, achievable over the network with low complexity and only low privileges - consistent with an attacker who already has a temporary shared-access session, as the description states. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a temporary shared-access session to an OpenClaw Control UI - for example, a guest collaborator or a user on a shared network - initiates device pairing while presenting spoofed locality signals that the server treats as trusted. The pairing flow issues a durable, admin-capable device token bound to the attacker's device; because the token survives normal rotation, the attacker retains persistent administrative control even after the original shared session is revoked. …
Remediation Vendor-released patch: OpenClaw 2026.5.22 - upgrade to this version or later per the GHSA-chr9-m4q2-76hw advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory OpenClaw deployments and identify systems running versions prior to 2026.5.22. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53836 HIGH
8.7 Jun 12

Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution all
CVE-2026-53822 HIGH
8.7 Jun 12

Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between appro
CVE-2026-53819 HIGH
8.7 Jun 11

Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skil
CVE-2026-53821 HIGH
8.7 Jun 12

Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin

CVE-2026-53814 HIGH
8.7 Jun 11

Privilege escalation in OpenClaw before 2026.5.20 allows attackers holding a valid hook token to invoke owner-only MCP t

Share

EUVD-2026-36323 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy