CVE-2026-53820
MediumCVSS 6.6Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
OpenClaw before version 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions.
Risk Assessment
Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended, posing a serious security threat to the system.
Recommendation
It is recommended to update OpenClaw to version 2026.5.12 or later to mitigate this vulnerability and implement additional access control measures.
Original NVD description (English source)
OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended.

