CVE-2026-53817: OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing

Synopsis

This is a locality spoofing vulnerability in OpenClaw's Control UI device pairing flow, affecting all versions before 2026.5.22. An authenticated attacker with network access can send forged locality information during the pairing handshake, bypassing the trust validation that is supposed to limit shared access. Successful exploitation lets the attacker convert a temporary shared-access grant into a durable admin-capable device token that persists even after token rotation. A patched-image rebuild at version 2026.5.22 is available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the OpenClaw Control UI pairing endpoint over the network; there is no local or physical access requirement.

• AuthenticationRequired

  A low-privilege account is sufficient; the attacker needs any valid credential to initiate the pairing flow and inject spoofed locality data.

• Victim interactionNot required

  No user action is needed; the attacker drives the exploit entirely through the pairing API without involving another user.

• Attack complexityDetail

  Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

• The attacker obtains a durable admin-capable device token, giving persistent administrative access to the paired device.
• Because the token survives rotation, standard token-invalidation responses do not evict the attacker from the session.
• With admin-level token access, the attacker can read stored configuration, credentials, and any data accessible to an admin session on the device.
• The attacker can modify device configuration and access controls, potentially establishing a persistent foothold that outlasts incident-response actions.