Openclaw · Openclaw · CVE-2026-53821
**Name of the Vulnerable Software and Affected Versions**
OpenClaw versions prior to 2026.5.18
**Description**
The software accepts WebSocket client-declared operator scopes before binding to a server-approved pairing or trusted-proxy authorization baseline. This allows unpaired or restricted trusted-proxy Control UI clients to obtain cached `operator.admin` authority on live WebSocket connections, enabling the execution of admin-gated Gateway RPCs.
**Recommendations**
Update to version 2026.5.18.