CVE-2026-53814
Published: 11 June 2026
Summary
CVE-2026-53814 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Abuse Elevation Control Mechanism (T1548); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-36320
Vulnerability details
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access…
more
or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect privilege scoping on hook/agent execution directly enables abuse of elevation control to access owner-only actions.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.