CVE-2026-53856: Incorrect Permission Assignment for Critical Resource in OpenClaw Config Recovery

Vulnerability ID: CVE-2026-53856
CVSS Score: 5.7
Published: 2026-06-18

OpenClaw versions before 2026.4.24 contain an insecure file permissions vulnerability in the configuration recovery mechanism. When a local configuration repair is triggered, the recovery path restores the primary configuration file, openclaw.json, with overly broad permissions. This enables low-privileged local attackers in multi-user or shared hosting environments to read sensitive system credentials, API tokens, and private assistant configurations.

TL;DR

OpenClaw's configuration recovery mechanism recreates openclaw.json with overly permissive file system permissions (e.g., 0644 instead of 0600). This allows local, low-privileged users on the same host to read sensitive parameters, including OpenAI and Anthropic API keys.

Technical Details

CWE ID: CWE-732
Attack Vector: Local
CVSS v4.0 Score: 5.7 (Medium)
EPSS Score: 0.00094
Impact: High Confidentiality Loss
Exploit Status: none
KEV Status: Not Listed

Affected Systems

OpenClaw operating in multi-user or shared hosting environments
OpenClaw: >= 2026.4.23, < 2026.4.24 (Fixed in: 2026.4.24)

Mitigation Strategies

Upgrade OpenClaw to version 2026.4.24 or later to ensure the recovery routine writes the configuration file with secure permissions.
Manually modify permissions of the existing 'openclaw.json' to restrict read and write access to the owner only.
Configure a restrictive system umask (such as 0077) for the user account running the OpenClaw service.

Remediation Steps:

Identify the installation path of the OpenClaw configuration file (usually 'openclaw.json').
Apply owner-only permissions to the file using the command: chmod 600 /path/to/openclaw/openclaw.json
Verify the permissions are securely set by running: ls -la /path/to/openclaw/openclaw.json
Upgrade the application binary to version 2026.4.24 to permanently fix the recovery path logic.