CVE-2026-53820EPSS p0.8%

CVE-2026-53820CVE-2026-53820

openclaw / openclaw

Description

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended.

Scoring

CVSS 6.6 ()
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS0.09% probability of exploitation · percentile 0.8% · 2026-06-18T12:00:27Z
Last modified2026-06-16
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.