CVE-2026-53854: Privilege Escalation via Wildcard Authorization Inheritance in OpenClaw

OpenClaw is a WhatsApp gateway CLI built on the Baileys web API with an integrated Pi RPC agent. The system coordinates message routing across multiple channels, including WhatsApp chats, Slack, Discord, internal debug interfaces, and local webchat configurations.

To secure sensitive administration functions, OpenClaw implements an operator-trust model. This mechanism differentiates between operators with full administrative capabilities and channel-scoped users who are restricted to limited, non-administrative commands.

Authorization for administrative commands is governed by the ownerAllowFrom setting, which defines authorized identifiers for owner-level actions. A weakness exists in how the gateway evaluates authorization states when commands are received over internal or webchat communication paths, resulting in incorrect authorization enforcement.

The root cause of CVE-2026-53854 is classified under CWE-863 (Incorrect Authorization). The vulnerability occurs within the command-routing controller during authorization checks on incoming messages.

When evaluating permissions, the controller checks whether the channel configuration has wildcard privileges enabled, designated by a wildcard value (such as *) within the ownerAllowFrom setting. If a high-privilege channel utilizes this wildcard configuration, the state context of the controller is flagged as authorized.

Due to insufficient boundary isolation, this authorization state is not cleared before subsequent evaluations of other channels. When a lower-privileged user sends a request via an internal or webchat communication path, the authorization engine references the uncleared, active state. This state inheritance allows the lower-privilege connection to execute restricted commands with administrative permissions.

The following code block demonstrates a conceptual model of the vulnerable context-handling loop, where the authorization state is retained across requests:

// Vulnerable Controller State Evaluation
class CommandController {
  constructor() {
    this.authState = {}; // Shared context variable
  }
 
  evaluateAuthorization(request) {
    // If the channel configuration specifies a wildcard, the state is flag-marked
    if (request.channelConfig.ownerAllowFrom === '*') {
      this.authState.isOwnerAllowed = true;
    }
    // BUG: If isOwnerAllowed is true from a previous evaluation, 
    // it is never reset to false for subsequent channels that do not have wildcards.
    return this.authState.isOwnerAllowed;
  }
}

To resolve this vulnerability, the context validation must be explicitly restricted to the current request scope. Re-initializing the context on every evaluation cycle prevents previous authorization outcomes from leaking into new sessions:

// Patched Controller State Evaluation
class CommandController {
  evaluateAuthorization(request) {
    // Fix: Scope state evaluation locally to prevent bleed across boundaries
    let isOwnerAllowed = false;
 
    if (request.channelConfig.ownerAllowFrom === '*') {
      isOwnerAllowed = true;
    } else {
      // Perform explicit credential and channel verification
      isOwnerAllowed = this.verifySenderIdentity(request.sender, request.channelConfig.ownerAllowFrom);
    }
    return isOwnerAllowed;
  }
}

Exploiting CVE-2026-53854 requires a low-privilege attacker to have network access to an active, exposed OpenClaw gateway instance. The target gateway must also have at least one channel configured with a wildcard administrative setting.

The attacker initiates a connection using the webchat path or internal command interface. By sending a request that triggers the evaluation routine, the attacker forces the controller to process authorization against the active state context.

Because the shared context contains the wildcard flag inherited from the high-privilege configuration, the check passes. The command is successfully routed and executed with full operator-style rights, bypassing standard access controls.

The potential consequences of successful exploitation include complete compromise of gateway integrity. An attacker can execute arbitrary commands directly on the host system or through the connected Pi RPC agent.

Since OpenClaw controls the message transmission lifecycle, unauthorized administrative commands allow attackers to inject malicious messages, manipulate session databases, and intercept incoming communications. Additionally, the RPC interface could be used to interact with hardware peripherals managed by the host system.

The vulnerability is scored with a Medium severity rating of 6.0 on the CVSS scale. This score reflects the requirement for low-level initial privileges (PR:L) and specific configuration preconditions (AT:P), balancing the overall risk despite the high integrity impact.

The primary defense against this vulnerability is updating OpenClaw to version 2026.4.25 or later. This release enforces strict context boundary checks, preventing the sharing of authorization variables between channels.

If upgrading is not immediately possible, operators should eliminate wildcard operators in configuration files. Explicit allowlists should replace any entries containing wildcards in the ownerAllowFrom parameters.

Administrators must also implement network access control lists to isolate the webchat and internal interfaces. Restricting access to trusted administrative hosts or local loopback interfaces reduces the overall remote attack surface.