How is CVE-2026-53814 exploited?

Network reachability (required): The attacker must reach the /hooks/agent endpoint over the network; the service must be exposed to the attacker's network for exploitation to be possible. Authentication (required): A valid hook token is required; any low-privilege account or integration that holds such a token is sufficient to trigger the vulnerability. Victim interaction (not-required): No user interaction is needed; the attacker submits a crafted request directly to the endpoint without involving another user. Attack complexity (info): Attack complexity is low; the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors to succeed.

What is the impact of CVE-2026-53814?

Reads data accessible to the owner account, including secrets, configurations, and tool outputs that the hook scope should not reach. Invokes owner-only MCP tools, enabling the attacker to make persistent cron state modifications and trigger privileged automation actions. Modifies persisted scheduling or workflow state within the OpenClaw runtime under the authority of the owner scope. Availability impact on the affected service is low; the service is not crashed but may behave unpredictably due to unauthorized state changes.

Back to search

HIGHCVE-2026-53814Published 2026-06-11Modified 2026-06-13CNA VulnCheck

CVE-2026-53814: OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority

Q: What is CVE-2026-53814?

This is a privilege escalation vulnerability in OpenClaw versions before 2026.5.20. An attacker with a valid hook token can send a crafted request to the /hooks/agent endpoint over the network, causing spawned CLI runtimes to receive owner-level MCP tool authority instead of the restricted scope appropriate for hooks. Successful exploitation allows the attacker to invoke owner-only MCP tools, including making persistent cron state modifications and other privileged actions. A patched-image rebuild at version 2026.5.20 is available on HarborGuard for affected environments.

Q: How is CVE-2026-53814 fixed?

A patched-image rebuild targeting OpenClaw 2026.5.20 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers an automated rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.5.20
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in OpenClaw versions before 2026.5.20. An attacker with a valid hook token can send a crafted request to the /hooks/agent endpoint over the network, causing spawned CLI runtimes to receive owner-level MCP tool authority instead of the restricted scope appropriate for hooks. Successful exploitation allows the attacker to invoke owner-only MCP tools, including making persistent cron state modifications and other privileged actions. A patched-image rebuild at version 2026.5.20 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53814 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images derived from OpenClaw base layers. Any image running OpenClaw below version 2026.5.20 is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules for the affected workloads.

Available

Patch

A patched-image rebuild targeting OpenClaw 2026.5.20 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers an automated rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the /hooks/agent endpoint over the network; the service must be exposed to the attacker's network for exploitation to be possible.
AuthenticationRequired
A valid hook token is required; any low-privilege account or integration that holds such a token is sufficient to trigger the vulnerability.
Victim interactionNot required
No user interaction is needed; the attacker submits a crafted request directly to the endpoint without involving another user.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors to succeed.

Blast Radius

Reads data accessible to the owner account, including secrets, configurations, and tool outputs that the hook scope should not reach.
Invokes owner-only MCP tools, enabling the attacker to make persistent cron state modifications and trigger privileged automation actions.
Modifies persisted scheduling or workflow state within the OpenClaw runtime under the authority of the owner scope.
Availability impact on the affected service is low; the service is not crashed but may behave unpredictably due to unauthorized state changes.

How HarborGuard Handles This

Available on HarborGuard: images running OpenClaw below 2026.5.20 are matched against this CVE within minutes of advisory ingestion and surfaced as HIGH-severity findings in both registry and pipeline scan results. For customers with auto-remediation enabled, HarborGuard triggers a rebuild at version 2026.5.20, executes a regression test run against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the fix version. Because this vulnerability requires only a valid hook token and no victim interaction, reducing the network exposure of the /hooks/agent endpoint via network policy or ingress controls is a practical compensating control while a rebuild is reviewed and promoted.

See how HarborGuard automates this

Fix available

2026.5.20

Patch commits

GitHub Security Advisory (GHSA-6fvr-66p3-3qj4)

Affected packages

OpenClaw / OpenClaw
< 2026.5.20 (from 0)
Fixed in 2026.5.20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available