CVE-2026-53855

HIGH 8.1

OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.

CWE	CWE-184 CWE-863
Vendor	openclaw
Product	openclaw
Published	Jun 16, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-shell-positional-parameters-bypass-in-inline-eval-checks

Credits

🔍 cantinagen Ellahi (@Ellahinator)