Four high-severity vulnerabilities in OpenClaw were published to the National Vulnerability Database between June 12 and 13, 2026. All four carry CVSS scores between 7.7 and 8.7 (High). All four have patches available. The cluster spans three separate OpenClaw releases, targeting authorization enforcement, command execution, WebSocket privilege handling, and skill installation flows.
The Four CVEs
CVE-2026-53828: Native Command Authorization Bypass (pre-2026.5.6)
OpenClaw’s native command handler failed to enforce owner-only access policies, according to the NVD description and VulnCheck’s advisory. Authenticated senders could execute commands designated as owner-only without proper policy checks. VulnCheck assigned it CVSS 4.0 score of 7.7 (High), classified as CWE-863 (Incorrect Authorization). The fix shipped in version 2026.5.6.
CVE-2026-53822: Command Injection via Argv Rebuild (pre-2026.5.18)
A time-of-check-time-of-use (TOCTOU) race condition in OpenClaw’s shell wrapper allowed command arguments to be modified between allowlist approval and execution, according to NVD. An attacker could submit arguments that pass the allowlist check, then rebuild them to execute unapproved command shapes. VulnCheck rated it CVSS 4.0 8.7 (High), classified as CWE-367. Patched in 2026.5.18.
CVE-2026-53821: Admin Authority Bypass via WebSockets (pre-2026.5.18)
OpenClaw accepted client-declared operator scopes on WebSocket connections before verifying server-approved pairing or trusted-proxy authorization, per NVD. Unpaired or restricted Control UI clients could declare admin scope and gain cached operator.admin authority, enabling execution of admin-gated Gateway RPCs. VulnCheck rated it CVSS 4.0 8.7 (High), classified as CWE-862 (Missing Authorization). Also patched in 2026.5.18.
CVE-2026-53819: Arbitrary Code Execution via .env Override (pre-2026.5.27)
During skill installation, OpenClaw allowed workspace .env files to override the Homebrew executable path, according to NVD. Attackers with access to trusted operator workspaces could substitute a malicious executable during skill setup, achieving arbitrary code execution. VulnCheck rated it CVSS 4.0 8.7 (High), classified as CWE-426 (Untrusted Search Path). Patched in 2026.5.27.
No public proof-of-concept exploits have been published for any of the four vulnerabilities at the time of writing, according to TheHackerWire.
Version Coverage
The four CVEs span three patch releases. Users running versions older than 2026.5.27 should update immediately, as that version addresses all four:
- 2026.5.6 fixes CVE-2026-53828
- 2026.5.18 fixes CVE-2026-53822 and CVE-2026-53821
- 2026.5.27 fixes CVE-2026-53819
Each vulnerability was reported through OpenClaw’s GitHub Security Advisories and coordinated with VulnCheck as the CNA (CVE Numbering Authority).
The Pattern for Agent Platform Operators
The four CVEs share a common thread: each targets the boundary between what an agent platform approves and what actually executes. Owner-only commands that skip enforcement. Allowlisted arguments that change after approval. WebSocket scopes that clients declare without server validation. Environment variables that redirect trusted executables.
Each targets the specific trust model that agent platforms introduce: systems where AI agents execute privileged operations on behalf of users, and where the gap between “approved” and “executed” becomes an attack surface. Teams deploying OpenClaw in multi-user or enterprise environments should audit which version they are running and apply the patches before exposing instances to authenticated users who are not system owners.