CVE-2026-53808
6.5 MEDIUMOpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls t...
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- CWE
- CWE-863
Description
OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before the expected approval step, potentially modifying configurations without proper authorization.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-47238 — ClipBucket v5 is an open source video sharing platform (6.5 MEDIUM)
- CVE-2026-53809 — OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to... (3.8 LOW)
- CVE-2026-53807 — OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users... (8.8 HIGH)
- CVE-2026-46519 — mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management (8.8 HIGH)
- CVE-2026-6277 — GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2... (4.3 MEDIUM)