CVE-2026-53850 | OpenClaw before 2026.4.25 contains a control scope enforceme… | CVSS 5.5 MEDIUM

Description

OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.

Metadata

CVE ID: CVE-2026-53850
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 21:21 UTC
Published: 2026-06-16 18:05 UTC
Last updated: 2026-06-16 18:38 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

5.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.4.25, 2026.4.25

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
5.5	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (2)

GitHub Security Advisory (GHSA-mpc8-jxjh-qpgh) https://github.com/openclaw/openclaw/security/advisories/GHSA-mpc8-jxjh-qpgh
VulnCheck Advisory: OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command https://www.vulncheck.com/advisories/openclaw-control-scope-enforcement-bypass-in-focus-command