Impact
OpenClaw before version 2026.5.6 contains an authorization bypass in native command handling that allows authenticated users to execute commands that should be restricted to owners. This flaw removes the policy enforcement layer, enabling privileged operations to be performed by unauthorized participants. The vulnerability is classified as CWE-863.
Affected Systems
All installations of OpenClaw older than version 2026.5.6 are affected, regardless of the hosting environment, as the flaw resides in the native command handling component.
Risk and Exploitability
The CVSS score of 7.7 indicates moderate to high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting a likely low exploitation likelihood under current threat intelligence. The attack vector requires an authenticated attacker to invoke the native command handling path; once reached, the lack of owner-command enforcement can be leveraged to run privileged commands, potentially leading to full system compromise for the authenticated user.
OpenCVE Enrichment