CVE-2026-53838
9.8 CRITICALOpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv...
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-367
Description
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
- CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)
- CVE-2026-53822 — OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution (8.8 HIGH)
- CVE-2026-54055 — Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)
- CVE-2026-42306 — Moby is an open source container framework (7.2 HIGH)