DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53844: CVE-2026-53844: Missing Session Visibility Authorization Bypass in OpenClaw Shared Memory Search

#security #cve #cybersecurity

CVE-2026-53844: Missing Session Visibility Authorization Bypass in OpenClaw Shared Memory Search

Vulnerability ID: CVE-2026-53844
CVSS Score: 6.5
Published: 2026-06-18

A missing authorization vulnerability (CWE-862) exists within the shared memory search interface (memory-wiki) of OpenClaw prior to version 2026.4.29. The application fails to apply visibility controls to search queries targeting /api/memory-wiki/search. Consequently, an authenticated attacker with low-level privileges can query the global index and exfiltrate sensitive memory entries belonging to other active or historical sessions without authorization.

TL;DR

OpenClaw versions before 2026.4.29 fail to enforce authorization checks (SessionVisibilityGuard) on its shared memory search API endpoint. This omission allows any low-privileged authenticated user to query and retrieve private memory and configuration logs from other active or historic sessions.

Technical Details

  • CWE ID: CWE-862: Missing Authorization
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5 (Medium)
  • CVSS v4.0 Score: 6.0 (Medium)
  • EPSS Score: 0.0021
  • Impact: High Confidentiality Loss
  • Exploit Status: No public proof-of-concept exists
  • CISA KEV Status: Not listed

Affected Systems

  • OpenClaw instances running versions < 2026.4.29
  • OpenClaw: < 2026.4.29 (Fixed in: 2026.4.29)

Mitigation Strategies

  • Upgrade OpenClaw deployment to version 2026.4.29 or newer.
  • Restrict network access to the API endpoints using external authorization proxies or API gateways.
  • Deploy Web Application Firewall rules to block wildcard query strings on the shared search path.

Remediation Steps:

  1. Identify all OpenClaw instances running versions older than 2026.4.29.
  2. Pull the updated software version via the official registry or package manager.
  3. Verify that routes/memoryWiki.js incorporates the SessionVisibilityGuard middleware.
  4. Restart the OpenClaw service and perform validation tests using a low-privileged account to confirm that search results are restricted to the local session.

References

Read the full report for CVE-2026-53844 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)