CVE-2026-53856: OpenClaw: Config recovery could restore openclaw.json with broad file permissions

June 18, 2026

Config recovery could restore openclaw.json with broad file permissions. In affected versions, a local recovery path after configuration repair could leave the restored config file more readable than intended.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw’s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

References

github.com/advisories/GHSA-rwp6-7w3q-75fq
github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq
nvd.nist.gov/vuln/detail/CVE-2026-53856
www.vulncheck.com/advisories/openclaw-insecure-file-permissions-in-config-recovery-via-openclaw-json

Code Behaviors & Features

Detect and mitigate CVE-2026-53856 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →