DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53850: CVE-2026-53850: Missing Authorization in OpenClaw focus Command Control Scope Enforcement

#security #cve #cybersecurity

CVE-2026-53850: Missing Authorization in OpenClaw focus Command Control Scope Enforcement

Vulnerability ID: CVE-2026-53850
CVSS Score: 5.5
Published: 2026-06-18

An authorization bypass vulnerability in OpenClaw versions prior to 2026.4.25 allows authenticated users to execute the 'focus' command without proper controlScope validation. Because the routing engine fails to enforce configured access policies on this specific command pathway, low-privilege operators can alter the gateway's global focus state, leading to potential unauthorized cross-channel or cross-session interaction depending on downstream configuration.

TL;DR

A missing authorization check (CWE-862) in the OpenClaw 'focus' command allows authenticated low-privilege users to change the gateway's focus state, bypassing configured controlScope isolation boundaries.

Technical Details

  • CWE ID: CWE-862 (Missing Authorization)
  • Attack Vector: Local (AV:L)
  • CVSS v3.1 Base Score: 5.5
  • CVSS v4.0 Base Score: 6.8
  • EPSS Score: 0.00093 (0.71st percentile)
  • Impact Class: Integrity (High)
  • Exploit Status: No public functional exploit or proof-of-concept exists
  • CISA KEV Status: Not listed

Affected Systems

  • OpenClaw Gateway deployments running versions prior to 2026.4.25
  • openclaw: < 2026.4.25 (Fixed in: 2026.4.25)

Mitigation Strategies

  • Upgrade the OpenClaw package to version 2026.4.25 or later.
  • Explicitly disable the focus command in deployment environments if it is not required for daily tasks.
  • Restrict network or platform access to the OpenClaw deployment so that only trusted operators can submit commands.
  • Avoid multi-tenant configurations on a single shared OpenClaw Gateway instance.

Remediation Steps:

  1. Open your terminal and navigate to the root directory of your OpenClaw deployment.
  2. Verify the currently installed version using npm list openclaw.
  3. Run the package update command: npm install openclaw@2026.4.25.
  4. Restart the OpenClaw service to ensure the patched routing logic is compiled and loaded.
  5. Audit application logs to ensure focus commands are now accompanied by authorization challenges.

References

Read the full report for CVE-2026-53850 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)