Description
OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Control UI pairing process of OpenClaw versions prior to 2026.5.22 allows a malicious actor with network access to fake the locality information used for trust decisions. By spoofing locality, an attacker can convert a temporary shared access token into a durable, admin‑capable token that remains valid even after normal token rotation. This results in unauthorized administrative control of the device, compromising confidentiality, integrity, and availability of any data or services hosted on the device.

Affected Systems

The vulnerability affects the OpenClaw platform, specifically any installations of OpenClaw older than version 2026.5.22. Users running those versions should verify their deployment and plan to update.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and while an EPSS score is not available, the lack of a published exploit does not diminish the risk of future exploitation. The vulnerability is not listed in CISA’s KEV catalog, but the attack path requires only network connectivity to the Control UI, making it a likely vector for attackers on the same network or with remote network access.

Generated by OpenCVE AI on June 11, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.5.22 or later.
  • If an immediate upgrade is not possible, restrict network access to the Control UI endpoint to trusted hosts only.
  • Implement server‑side locality checks to ensure that any client requests are verified against an approved list of localities before token issuance.

Generated by OpenCVE AI on June 11, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.
Title OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-290
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T20:09:38.043Z

Reserved: 2026-06-10T21:16:07.494Z

Link: CVE-2026-53817

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T21:16:23.960

Modified: 2026-06-11T21:16:23.960

Link: CVE-2026-53817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:00:09Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing