CVE-2026-53862 | OpenClaw before 2026.5.12 contains a bootstrap token replay … | CVSS 4.2 MEDIUM

Description

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

Metadata

CVE ID: CVE-2026-53862
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 21:22 UTC
Published: 2026-06-16 18:05 UTC
Last updated: 2026-06-16 18:36 UTC
Primary CWE: CWE-266
Incorrect Privilege Assignment
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

4.2 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.5.12, 2026.5.12

Weakness (CWE)

CWE	Source	Description
CWE-266	cna	Incorrect Privilege Assignment
CWE-345	cna	Insufficient Verification of Data Authenticity

CVSS scores (2)

Score	Severity	Version	Source	Vector
4.2	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
2.3	LOW	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-9v8j-9c9g-w66c) https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c
VulnCheck Advisory: OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening https://www.vulncheck.com/advisories/openclaw-bootstrap-token-replay-via-pending-pairing-scope-widening