CVE-2026-53821
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
OpenClaw before version 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections.
Risk Assessment
The organization may be exposed to unauthorized access to administrative functions, potentially leading to serious security breaches. Exploiting this vulnerability could allow attackers to execute admin-gated Gateway RPCs.
Recommendation
It is recommended to update OpenClaw to version 2026.5.18 or later to mitigate this vulnerability. Additionally, an audit of trusted proxy configurations and access to the administrative interface should be conducted.
Original NVD description (English source)
OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute admin-gated Gateway RPCs.

