OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.

AI Analysis

Locality validation vulnerability in Control UI pairing allowing attackers to spoof locality information and obtain admin-capable device tokens

Basic Information

ID CVE-2026-53817

Source VulnCheck

Published Jun 11, 2026 at 20:09

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-290

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor OpenClaw

Product OpenClaw

Version < 2026.5.22

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.",
    "published": "2026-06-11T20:09:38.043Z",
    "modified": "2026-06-11T20:09:38.043Z",
    "type": "cve",
    "title": "OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw\nhttps://www.vulncheck.com/advisories/openclaw-control-ui-locality-spoofing-in-device-pairing",
    "id": "CVE-2026-53817",
    "bulletinFamily": "",
    "cwe": [
        "CWE-290"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "Locality validation vulnerability in Control UI pairing allowing attackers to spoof locality information and obtain admin-capable device tokens",
    "ai_severity": "High",
    "ai_vendor": "OpenClaw",
    "ai_product": "OpenClaw",
    "ai_version": "< 2026.5.22",
    "ai_score": 8.7
}

OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing_CVE-2026-53817