Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53843

CVE-2026-53843: Openclaw Authorization Bypass Vulnerability

CVE-2026-53843 is an authorization bypass flaw in Openclaw that allows paired devices to regain WebSocket access after token revocation. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-53843 Overview

CVE-2026-53843 is an authorization bypass vulnerability in OpenClaw versions before 2026.5.26. The flaw allows a pairing-scoped device session to survive token revocation and re-establish node-level authority over WebSocket connections. Attackers holding a previously paired device can regain privileged access without renewed approval from the operator.

The vulnerability is classified under [CWE-613: Insufficient Session Expiration]. It affects the OpenClaw Node.js package and is tracked in the GitHub Security Advisory GHSA-q99w-vh6v-q3v7.

Critical Impact

A paired attacker device can bypass revocation and retain full WebSocket node-level access, compromising the confidentiality, integrity, and availability of OpenClaw-managed nodes.

Affected Products

  • OpenClaw OpenClaw versions prior to 2026.5.26
  • OpenClaw 2026.5.26-beta1 (Node.js package)
  • OpenClaw 2026.5.26-beta2 (Node.js package)

Discovery Timeline

  • 2026-06-16 - CVE-2026-53843 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-53843

Vulnerability Analysis

The vulnerability resides in OpenClaw's session and token lifecycle for paired devices. When an operator revokes a node token, the existing pairing-scoped device session is not terminated server-side. The orphaned session retains sufficient authority to re-establish node-level access through the WebSocket channel.

Because revocation only invalidates the issued token but leaves the underlying session context intact, the server treats subsequent WebSocket activity from the paired device as legitimate. The device can then mint or reassert node token authority, effectively negating administrative revocation. This weakens the operator's ability to remove access from compromised or decommissioned devices.

The issue is exploitable over the network with low privileges and no user interaction, since the attacker already controls a paired device.

Root Cause

The root cause is insufficient session expiration tied to pairing scope. Token revocation logic operates on the token object rather than the broader device session that issued it. The pairing-scoped session continues to satisfy the authorization check used by the node WebSocket endpoint, allowing token re-issuance or re-authentication without operator approval.

Attack Vector

An attacker who controls a device previously paired with OpenClaw initiates a WebSocket connection after the operator has revoked its node token. The lingering pairing session passes the server's authorization check, and the attacker re-establishes node-level authority. From this position, the attacker can read sensitive data, modify configuration, and disrupt service on managed nodes.

No verified public proof-of-concept code is available. Refer to the VulnCheck advisory for additional technical context.

Detection Methods for CVE-2026-53843

Indicators of Compromise

  • WebSocket reconnections from a paired device identifier that occur after a node token revocation event in OpenClaw logs.
  • Node-level API or control actions originating from device sessions whose tokens have been marked revoked.
  • Repeated token re-issuance requests from the same pairing scope without a fresh operator approval record.

Detection Strategies

  • Correlate token revocation events with subsequent successful WebSocket authentications from the same device fingerprint.
  • Alert on any node-scope action performed by a session whose parent token has a revocation timestamp earlier than the action timestamp.
  • Baseline normal pairing-to-action flows and flag sessions that outlive their issuing token.

Monitoring Recommendations

  • Enable verbose audit logging for pairing, token issuance, and revocation events in OpenClaw and forward them to a centralized log store.
  • Monitor WebSocket endpoints for anomalous session continuity following administrative actions.
  • Track unique device identifiers across pairing lifecycle events to detect orphaned sessions.

How to Mitigate CVE-2026-53843

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.5.26 or later, which addresses the session survival issue.
  • Audit currently paired devices and unpair any device that is no longer trusted or required.
  • Force termination of all active WebSocket sessions after applying the patch to invalidate lingering pairing-scoped sessions.

Patch Information

The fix is delivered in OpenClaw 2026.5.26. Versions 2026.5.26-beta1 and 2026.5.26-beta2 remain vulnerable and should not be deployed. Patch details are published in the GitHub Security Advisory GHSA-q99w-vh6v-q3v7.

Workarounds

  • Restart the OpenClaw server after revoking a token to clear in-memory pairing sessions until the upgrade is applied.
  • Restrict network exposure of the OpenClaw WebSocket endpoint to trusted management networks or VPN segments.
  • Rotate pairing credentials and re-pair only devices that have been verified as trustworthy.
bash
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.5.26

# Verify installed version
npm list openclaw

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne