CVE-2026-53854

MEDIUM

OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Internal/Webchat Commands

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-4hpg-mp64-x7xq)
https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Internal/Webchat Commands
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-ownerallowfrom-wildcard-inheritance-in-internal-webchat-commands

Scores

CVSS v3 6.5
EPSS 0.0024
EPSS Percentile 15.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (4)
npm/openclaw 0 - 2026.4.25npm
OpenClaw/OpenClaw < 2026.4.25
openclaw/openclaw < 2026.4.25
OpenClaw/OpenClaw 2026.4.25
Published Jun 16, 2026
Tracked Since Jun 17, 2026