CVE-2026-53843: OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session

Synopsis

This is an authorization bypass vulnerability in OpenClaw versions before 2026.5.26. An attacker who holds a pairing-scoped device session can re-establish node token authority after that token has been explicitly revoked, bypassing the intended revocation controls over a network connection using a low-privilege paired-device credential. Successful exploitation lets the attacker maintain unauthorized WebSocket node-level access beyond the intended session lifetime, reading, writing, and disrupting node-level resources. A patched-image rebuild at version 2026.5.26 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the OpenClaw service over the network to exploit the WebSocket-based token revocation bypass.

• AuthenticationRequired

  A low-privilege paired-device credential is required; any account that has previously completed device pairing is sufficient.

• Victim interactionNot required

  No victim action is needed; the attacker exploits the bypass entirely through their own session.

• Attack complexityDetail

  Exploit conditions are reliable and free of race conditions or environmental dependencies; a paired device session is the only prerequisite.

Blast Radius

• Reads node-level data accessible over the WebSocket connection, including configuration state and any data exposed at node scope.
• Modifies node-level resources, allowing the attacker to alter configuration or inject commands through the re-established token authority.
• Disrupts node availability by issuing commands that crash or destabilize the affected node.
• Prolongs unauthorized access beyond the intended session lifetime by repeatedly re-establishing revoked token authority without renewed approval.