CVE-2026-53808 MEDIUM

CVE-2026-53808: OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow

Vendor Openclaw
Product OpenClaw
Weakness CWE-863 · Incorrect authorization
Published June 11, 2026
Last update June 12, 2026

CVSS base score

6.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before the expected approval step, potentially modifying configurations without proper authorization.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 12, 2026 Record updated