DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53852: CVE-2026-53852: Scope Containment Bypass in OpenClaw Device Re-pairing

#security #cve #cybersecurity

CVE-2026-53852: Scope Containment Bypass in OpenClaw Device Re-pairing

Vulnerability ID: CVE-2026-53852
CVSS Score: 5.4
Published: 2026-06-18

OpenClaw versions prior to 2026.4.25 are subject to a scope containment bypass vulnerability in the device re-pairing component. When processing re-pairing requests, the application backend fails securely, allowing authenticated operators to bypass authorization containment policies. By submitting a re-pairing payload with an empty or omitted scope array, an operator can skip containment checks and retain broader, previously established administrative privileges. This vulnerability is classified under CWE-636: Not Failing Securely ('Failing Open').

TL;DR

An authorization bypass in OpenClaw allows authenticated operators to retain elevated privileges during device re-pairing by submitting an empty scope array, skipping containment guards.

Technical Details

  • CWE ID: CWE-636
  • Attack Vector: Network
  • CVSS v3.1 Score: 5.4 (Medium)
  • CVSS v4.0 Score: 2.3 (Low)
  • EPSS Score: 0.00164 (0.164% probability)
  • Exploit Status: None (No public PoC)
  • CISA KEV Status: Not Listed

Affected Systems

  • OpenClaw (Node.js environments)
  • OpenClaw: < 2026.4.25 (Fixed in: 2026.4.25)

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.4.25 or newer.
  • Deploy Web Application Firewall (WAF) or API gateway rules to filter and block empty or missing 'scopes' parameters in re-pairing requests.
  • Implement strict schema validation using libraries like Joi or Zod at the API routing layer to validate array sizes.

Remediation Steps:

  1. Identify all running instances of OpenClaw within the environment.
  2. Verify current active versions against the affected range (strictly before 2026.4.25).
  3. Pull the official 2026.4.25 release or newer from the vendor repository.
  4. Apply the patch and restart the Node.js application process.
  5. Review authorization logs for any historical pairing requests containing empty scope payloads to identify potential exploitation attempts.

References

Read the full report for CVE-2026-53852 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)