CVE-2026-53809

CVE Database · CVE-2026-53809

CVE-2026-53809

· LOWAnalyzed

CVSS v3.1

3.8

CVSS v4.0

4.8

EPSS

0.09%

Published

Jun 11, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Weaknesses (CWE)

CWE-863

Affected Products (1)

openclaw · openclaw (up to 2026.4.25)vulnerable

References (2)

https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m

MitigationVendor Advisory

https://www.vulncheck.com/advisories/openclaw-provider-alias-confusion-in-embedded-runner-policy

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs