~/f4n6 $ grep -r "OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to..." ./investigations/ --include="*.md"

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to...

Jeff Davies 13 Jun 2026 4 min read

1. Executive summary

OpenClaw versions prior to 2026.5.18 contain an authorization bypass vulnerability (CVE-2026-53821) in the Gateway WebSocket control plane. The Gateway accepts client-declared operator scopes before binding them to a server-approved pairing flow or a trusted-proxy authorization baseline, allowing unpaired or restricted trusted-proxy Control UI clients to obtain cached operator.admin authority on live WebSocket connections and execute admin-gated Gateway RPCs. The publishing GitHub Advisory classifies the issue as High severity; the CVE is currently marked Unreviewed by NVD and no CVSS vector has been resolved. EMEA financial services entities running OpenClaw — including as a third-party component in trading, ops, or automation pipelines — should treat this as a P1 patch item pending further review.

2. Regulatory framing

Article Trigger Practical impact
DORA Art. 28 OpenClaw is a third-party ICT software component embedded in ICT systems supporting business functions Financial entities must include OpenClaw in their ICT third-party risk register and assess whether the vulnerability triggers notification, patch SLA, or exit-clause obligations with the providing vendor/integrator
NIS2 Art. 21(2)(d) OpenClaw is a supply-chain software dependency In-scope entities must evaluate the OpenClaw dependency as part of supply-chain security measures and ensure vulnerabilities in third-party components are identified and addressed

3. Technical analysis & attack chain

The vulnerability is in the OpenClaw Gateway's WebSocket authorization logic. The Gateway accepts operator scope claims declared by the WebSocket client before validating them against either:

  1. A completed device-pairing / bootstrap flow, or
  2. A trusted-proxy authorization baseline.

This means an attacker who can reach the WebSocket endpoint — including via an unpaired Control UI client or a restricted trusted-proxy client — can claim operator.admin scope and the Gateway will honour it on the live connection, granting access to admin-gated Gateway RPCs.

Attack chain (confirmed)

  1. Reach the WebSocket endpoint. Attacker reaches the OpenClaw Gateway WebSocket listener (typically the Control UI port) directly, or via a trusted-proxy that does not enforce pairing.
  2. Declare operator.admin scope. Attacker opens a WebSocket session and declares operator.admin scope in the client handshake before any pairing or trusted-proxy authorization has completed.
  3. Gateway honours the claim. Because the Gateway binds to the client-declared scope before validating against the pairing/proxy baseline, the session is granted operator.admin authority.
  4. Execute admin-gated Gateway RPCs. Attacker invokes admin-gated RPCs against the live WebSocket session, obtaining the same authority as a fully paired operator.

Technical specifics

  • Affected versions: OpenClaw prior to 2026.5.18
  • Fixed in: OpenClaw 2026.5.18
  • Component: Gateway WebSocket control plane
  • Affected scope: operator.admin (admin-gated Gateway RPCs)
  • Trigger conditions: Unpaired Control UI clients OR restricted trusted-proxy clients
  • Authorization model bypassed: Server-approved pairing OR trusted-proxy authorization baseline
  • Related vulnerabilities in OpenClaw (context):
  • GHSA-ffhm-8fwq-7q27 (corpus-1): OpenClaw before 2026.5.12 — allowlist bypass in PowerShell encoded-command handling via abbreviated flag aliases not recognized by the allowlist parser. Remote authenticated operators can bypass execution allowlist checks to execute arbitrary PowerShell content.
  • GHSA-jj27-4rc8-m6mm (corpus-2): OpenClaw before 2026.5.4 — authorization bypass in the bundled device-pair plugin allowing non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation, granting persistent credentials until manual removal.

Caveats

The CVE is currently marked "Unreviewed" by NVD; no CVSS vector has been resolved. The "High severity" classification is the GitHub Advisory's own assessment. No public exploitation, threat-actor attribution, or in-the-wild campaign has been confirmed in the source material. The two related corpus advisories indicate OpenClaw has had a pattern of authorization-scope and allowlist-parser weaknesses across recent releases (2026.5.4, 2026.5.12, 2026.5.18), suggesting the project's authorization model has not been consistently hardened.

4. Mitigation & containment

P1 — within 24 hours

  • Patch to 2026.5.18 or later. Upgrade all OpenClaw deployments (Gateway, Control UI clients, bundled plugins) to OpenClaw 2026.5.18 or the latest available release.
  • Inventory exposure. Identify all OpenClaw instances, WebSocket Gateway endpoints, and trusted-proxy frontends in the estate. Confirm whether any are internet-reachable.
  • Restrict WebSocket reachability. Until patched, restrict the OpenClaw Gateway WebSocket listener to known operator IPs / VPN ranges at the network layer. Firewall or disable any internet-facing Control UI frontends.

P2 — within 72 hours

  • Audit operator.admin activity. Review Gateway RPC logs and WebSocket session logs for the period since the last known-good state. Look for sessions that invoked admin-gated RPCs without a corresponding completed pairing event or trusted-proxy authorization record.
  • Revoke cached credentials. Force re-pairing of all Control UI clients and rotate any cached operator credentials issued prior to the patch.
  • Validate trusted-proxy configuration. Confirm trusted-proxy frontends enforce the authorization baseline (not just pass-through) and reject sessions that have not completed pairing.

P3 — within 7 days

  • Review related OpenClaw advisories. Assess exposure to GHSA-ffhm-8fwq-7q27 (PowerShell encoded-command allowlist bypass, fixed in 2026.5.12) and GHSA-jj27-4rc8-m6mm (device-pair plugin authorization bypass, fixed in 2026.5.4). Patch to a release that includes all three fixes.
  • Vendor / contractual review. Where OpenClaw is supplied under a third-party contract, invoke DORA Art. 30 patch/SLA provisions and confirm the supplier's vulnerability-disclosure and incident-cooperation obligations.
  • Concentration-risk assessment. If OpenClaw is used pervasively across business functions, evaluate whether DORA Art. 29 concentration-risk assessment is warranted.

5. Indicators of compromise

No indicators of compromise available in the source material.

6. Detection

title: OpenClaw Gateway WebSocket operator.admin Scope Claim Before Pairing
id: 9a8c7b3e-2d4f-4e1a-b5c6-7d8e9f0a1b2c
status: experimental
description: Detects WebSocket sessions to OpenClaw Gateway that declare operator.admin scope before pairing or trusted-proxy authorization has completed.
author: Adverse Trace
date: 2026-06-13
references:

  - https://github.com/advisories/GHSA-vcg8-6gf2-cg9j
logsource:
  product: openclaw_gateway
  category: websocket_session
detection:
  selection_scope:
    websocket_scope_claimed: "operator.admin"
  selection_unauth:
    pairing_completed: false
    trusted_proxy_authorized: false
  condition: selection_scope and selection_unauth
level: high
tags:

  - attack.initial_access
  - attack.t1078

7. Sources

  • GitHub Security Advisories — GHSA-vcg8-6gf2-cg9j: OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. https://github.com/advisories/GHSA-vcg8-6gf2-cg9j (published 2026-06-13)
  • GitHub Security Advisories — GHSA-ffhm-8fwq-7q27: OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling. https://github.com/advisories/GHSA-ffhm-8fwq-7q27
  • GitHub Security Advisories — GHSA-jj27-4rc8-m6mm: OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin. https://github.com/advisories/GHSA-jj27-4rc8-m6mm

8. Adverse Trace position

Severity: High (per publishing GitHub Advisory; CVE currently unreviewed by NVD, no CVSS vector resolved). Client impact: any EMEA financial services entity running OpenClaw prior to 2026.5.18 — particularly where the Gateway WebSocket is reachable from untrusted networks or via trusted-proxy frontends without enforced pairing — is exposed to admin-gated RPC execution by unauthenticated or restricted clients. Next steps: Adverse Trace will (a) monitor NVD for the resolved CVSS vector and update this advisory, (b) track for any public PoC or in-the-wild exploitation, and (c) re-assess if a confirmed threat-actor attribution emerges.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies