OpenClaw < 2026.4.24 - Insecure File Permissions in Config Recovery...

5.7 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.

Basic Information

ID CVE-2026-53856

Source VulnCheck

Published Jun 16, 2026 at 18:05

Modified Jun 16, 2026 at 18:37

Affected Product

Vendor OpenClaw

Product OpenClaw

Version 2026.4.23

Affected Versions OpenClaw OpenClaw 2026.4.23

CWE Classification

CWE-732

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.",
    "published": "2026-06-16T18:05:04.424Z",
    "modified": "2026-06-16T18:37:24.224Z",
    "type": "cve",
    "title": "OpenClaw < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq\nhttps://www.vulncheck.com/advisories/openclaw-insecure-file-permissions-in-config-recovery-via-openclaw-json",
    "id": "CVE-2026-53856",
    "bulletinFamily": "",
    "cwe": [
        "CWE-732"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 2026.4.23",
    "sourceHref": "",
    "cvss": {
        "score": 5.7,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "2026.4.23",
    "vendor": "OpenClaw",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenClaw < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json_CVE-2026-53856