CVE Catalog

CVE-2026-53820

MediumCVSS 6.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

1th percentile — higher than 1% of all known CVEs

Summary

OpenClaw before version 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions.

Risk Assessment

Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended, posing a serious security threat to the system.

Recommendation

It is recommended to update OpenClaw to version 2026.5.12 or later to mitigate this vulnerability and implement additional access control measures.

Original NVD description (English source)

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS