CVE-2026-53856
MEDIUMOpenClaw 2026.4.23 < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json
Title source: cnaDescription
OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-rwp6-7w3q-75fq)
https://github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json
https://www.vulncheck.com/advisories/openclaw-insecure-file-permissions-in-config-recovery-via-openclaw-json
Scores
CVSS v3
5.5
EPSS
0.0009
EPSS Percentile
0.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-732
Status
published
Products (4)
npm/openclaw
2026.4.23 - 2026.4.24npm
openclaw/openclaw
2026.4.23
OpenClaw/OpenClaw
2026.4.23 - 2026.4.24
OpenClaw/OpenClaw
2026.4.24
Published
Jun 16, 2026
Tracked Since
Jun 17, 2026