Listen to this Post
How CVE-2026-53821 Works
OpenClaw before version 2026.5.18 contains a critical authorization bypass vulnerability in its trusted-proxy Control UI WebSocket handling. The flaw arises when `gateway.auth.mode` is set to `”trusted-proxy”` — a deployment mode where the Gateway trusts identity headers supplied by a reverse proxy.
During WebSocket connection establishment, a client can declare its intended operator scopes (e.g., operator.admin, operator.read) as part of the connection handshake. In vulnerable versions, OpenClaw accepts these client-declared scopes before validating them against any server-approved pairing record or trusted-proxy authorization baseline. The server does not verify that the declared scope matches an approved device pairing or that the trusted-proxy client is actually authorized to request those scopes.
This means an unpaired or restricted trusted-proxy Control UI client can present a fresh, unpaired device identity with elevated requested scopes — for example, claiming `operator.admin` without ever having been granted that privilege. The server caches this authority on the live WebSocket connection, allowing the client to execute admin-gated Gateway RPCs until the connection is closed or revalidated.
The vulnerability does not affect shared-secret Control UI sessions, which are treated as trusted operator sessions by design. It only impacts deployments where `gateway.auth.mode: “trusted-proxy”` is used for Control UI access. An attacker with network access to the Gateway port can exploit this to escalate privileges from a restricted or unpaired client to full administrative control.
The flaw is assigned CWE-862 (Missing Authorization) and carries a CVSS v3.1 score of 8.8 (High). No public exploit is currently available, but the attack can be initiated remotely.
DailyCVE Form:
Platform: ……. OpenClaw
Version: …….. < 2026.5.18
Vulnerability :…… Scope Elevation
Severity: ……. High (CVSS 8.8)
date: ………. 2026-06-12
Prediction: …… 2026-05-18
What Undercode Say
Analytics:
- CVSS Score: 8.8 (High) — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- EPSS: Not available
- CISA KEV: Not listed
- Attack Vector: Remote, requires low-privileged access to the Gateway WebSocket endpoint
- Weakness: CWE-862 — Missing Authorization
- Affected Component: WebSocket Connection Handler in trusted-proxy Control UI mode
- Patch Availability: Upstream fix released in 2026.5.18
Bash Commands & Codes:
Check current OpenClaw version openclaw --version Verify gateway.auth.mode configuration grep -E "gateway.auth.mode" /etc/openclaw/config.yaml Upgrade to patched version npm install -g [email protected] Restart gateway after upgrade systemctl restart openclaw-gateway Verify WebSocket client scope declarations (audit logs) grep -i "operator.admin" /var/log/openclaw/websocket.log
// Example of a vulnerable WebSocket client declaration (exploit simulation)
const ws = new WebSocket('wss://gateway/control-ui');
ws.onopen = () => {
ws.send(JSON.stringify({
type: 'pair',
client_id: 'control-ui',
requested_scopes: ['operator.admin', 'operator.read'] // Accepted without validation
}));
};
Exploit
An attacker with access to the Gateway port (local or network-accessible) can:
1. Establish a WebSocket connection to the Control UI endpoint (/control-ui).
2. Present a fresh, unpaired device identity (e.g., `client.id = “control-ui”` without a valid pairing record).
3. Declare elevated operator scopes such as `operator.admin` in the initial handshake.
4. The server accepts and caches these scopes without verifying them against any trusted-proxy authorization baseline.
5. The attacker can then invoke admin-gated Gateway RPCs (e.g., gateway.admin.listNodes, gateway.admin.updateConfig) over the live connection.
The attack does not require authentication if the trusted-proxy mode trusts all proxy-supplied headers. It bypasses origin validation when proxy headers are present, allowing cross-origin WebSocket connections.
Protection
- Upgrade OpenClaw to version 2026.5.18 or later immediately.
- Restrict trusted-proxy Control UI access to only those users who should have the scopes they can request.
- Restart the gateway after changing trusted-proxy authorization policy.
- Configure `controlUi.allowedOrigins` to restrict browser origins.
- Audit existing WebSocket clients for unauthorized operator scope declarations and revoke any that grant administrator privileges.
- Isolate the Gateway port behind a properly configured reverse proxy that validates and sanitizes identity headers.
- Monitor logs for suspicious `operator.admin` scope declarations from unpaired clients.
Impact
Confidentiality: High — An attacker can read sensitive configuration, node data, and internal state through admin-gated RPCs.
Integrity: High — The attacker can modify gateway settings, node configurations, and system policies.
Availability: High — The attacker can disrupt gateway operations, terminate nodes, or cause denial of service.
Scope: Unchanged — The vulnerability does not affect other components outside the gateway’s authorization scope.
Business Impact: Unauthorized administrative access can lead to full compromise of the OpenClaw deployment, data exfiltration, configuration tampering, and service disruption. Deployments using `gateway.auth.mode: “trusted-proxy”` for Control UI access are exclusively affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

