DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53856: CVE-2026-53856: Incorrect Permission Assignment for Critical Resource in OpenClaw Config Recovery

#security #cve #cybersecurity

CVE-2026-53856: Incorrect Permission Assignment for Critical Resource in OpenClaw Config Recovery

Vulnerability ID: CVE-2026-53856
CVSS Score: 5.7
Published: 2026-06-18

OpenClaw versions before 2026.4.24 contain an insecure file permissions vulnerability in the configuration recovery mechanism. When a local configuration repair is triggered, the recovery path restores the primary configuration file, openclaw.json, with overly broad permissions. This enables low-privileged local attackers in multi-user or shared hosting environments to read sensitive system credentials, API tokens, and private assistant configurations.

TL;DR

OpenClaw's configuration recovery mechanism recreates openclaw.json with overly permissive file system permissions (e.g., 0644 instead of 0600). This allows local, low-privileged users on the same host to read sensitive parameters, including OpenAI and Anthropic API keys.

Technical Details

  • CWE ID: CWE-732
  • Attack Vector: Local
  • CVSS v4.0 Score: 5.7 (Medium)
  • EPSS Score: 0.00094
  • Impact: High Confidentiality Loss
  • Exploit Status: none
  • KEV Status: Not Listed

Affected Systems

  • OpenClaw operating in multi-user or shared hosting environments
  • OpenClaw: >= 2026.4.23, < 2026.4.24 (Fixed in: 2026.4.24)

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.4.24 or later to ensure the recovery routine writes the configuration file with secure permissions.
  • Manually modify permissions of the existing 'openclaw.json' to restrict read and write access to the owner only.
  • Configure a restrictive system umask (such as 0077) for the user account running the OpenClaw service.

Remediation Steps:

  1. Identify the installation path of the OpenClaw configuration file (usually 'openclaw.json').
  2. Apply owner-only permissions to the file using the command: chmod 600 /path/to/openclaw/openclaw.json
  3. Verify the permissions are securely set by running: ls -la /path/to/openclaw/openclaw.json
  4. Upgrade the application binary to version 2026.4.24 to permanently fix the recovery path logic.

References

Read the full report for CVE-2026-53856 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)