Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53855

CVE-2026-53855: Openclaw Auth Bypass Vulnerability

CVE-2026-53855 is an authentication bypass flaw in Openclaw that allows operators to exploit shell positional parameters and bypass allowlist checks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53855 Overview

CVE-2026-53855 affects OpenClaw versions prior to 2026.4.2. The flaw is an inline-eval bypass that allows authenticated operators to weaken strict allowlist checks using shell positional parameters. Attackers combine allowlisted tools with positional arguments to place inline-eval content in shell carriers outside the intended allowlist rules. The result is execution of unapproved shell-provided content within the OpenClaw runtime. The weakness is classified as Incomplete List of Disallowed Inputs [CWE-184]. The advisory is published in the GitHub Security Advisory database as GHSA-5cj2-3jr2-5h77.

Critical Impact

Authenticated operators can bypass OpenClaw allowlist controls and execute unapproved shell content, breaking the confidentiality and integrity guarantees of the inline-eval safeguard.

Affected Products

  • OpenClaw (Node.js distribution) versions before 2026.4.2
  • Deployments relying on OpenClaw inline-eval allowlist enforcement
  • Operator-facing OpenClaw consoles that accept tool invocations with shell positional arguments

Discovery Timeline

  • 2026-06-16 - CVE-2026-53855 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-53855

Vulnerability Analysis

OpenClaw enforces an allowlist that restricts which tools and inline-eval payloads operators can invoke. The allowlist check inspects the immediate command structure but fails to account for content delivered through shell positional parameters such as $1, $2, or $@. An authenticated operator can invoke an allowlisted tool while smuggling inline-eval content through these positional slots. The shell expands the positional arguments inside a carrier process, and the expanded content reaches the evaluation path without being re-checked against the allowlist. The defect is a classic [CWE-184] failure: the validator enumerates known-bad patterns at the surface layer but does not normalize or re-evaluate after shell expansion.

Root Cause

The allowlist validator operates on the raw command string before shell interpretation. It does not model how positional parameters are resolved by the carrier shell at execution time. Content placed in positional arguments is therefore invisible to the allowlist, even though it ultimately reaches the inline-eval evaluator.

Attack Vector

The attacker must already hold operator-level credentials to OpenClaw. The attacker invokes a permitted tool and supplies inline-eval content as positional arguments. The shell carrier expands the positional parameters and forwards the smuggled content to the inline-eval handler, which executes it outside the intended allowlist boundary.

No verified exploit code is available. See the VulnCheck Advisory for technical details on the bypass mechanism.

Detection Methods for CVE-2026-53855

Indicators of Compromise

  • Operator audit log entries showing allowlisted tool invocations that include shell positional references such as $1, $2, $@, or ${1}.
  • Inline-eval execution records whose evaluated content does not match the static allowlist signature recorded at validation time.
  • Unexpected child processes spawned by OpenClaw worker shells immediately after operator command submissions.

Detection Strategies

  • Compare the command string captured at allowlist validation against the actual content executed by the inline-eval handler, and alert on divergence.
  • Hunt for OpenClaw audit events that contain shell metacharacters in positional-argument positions.
  • Correlate authenticated operator sessions with downstream process creation to identify shell carriers spawning unapproved commands.

Monitoring Recommendations

  • Enable verbose audit logging on the OpenClaw inline-eval subsystem and forward events to a centralized log store.
  • Track per-operator invocation patterns and flag sudden use of positional parameters by accounts that previously did not use them.
  • Monitor the OpenClaw host for new outbound connections or file writes that follow operator tool invocations.

How to Mitigate CVE-2026-53855

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.4.2 or later on every node that exposes operator endpoints.
  • Rotate operator credentials and API tokens that may have been used to test bypass payloads.
  • Review historical audit logs for invocations containing positional parameters in tool arguments.

Patch Information

OpenClaw 2026.4.2 resolves the bypass by re-validating expanded content within the shell carrier and rejecting positional-parameter smuggling. Patch details are documented in the GitHub Security Advisory GHSA-5cj2-3jr2-5h77 and the VulnCheck Advisory.

Workarounds

  • Restrict operator role membership to the minimum set of trusted users until the patch is deployed.
  • Disable inline-eval functionality in OpenClaw configuration where it is not required for operations.
  • Add a wrapper layer that strips or escapes shell positional references before commands reach the OpenClaw allowlist validator.
bash
# Configuration example
# Upgrade OpenClaw to the fixed release
npm install openclaw@2026.4.2

# Verify the installed version
npm ls openclaw

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne