CVE-2026-53863: OpenClaw: Tool group policy callers could accept unvalidated group IDs

June 18, 2026

Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw’s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

References

github.com/advisories/GHSA-985f-72mj-8gf7
github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7
nvd.nist.gov/vuln/detail/CVE-2026-53863
www.vulncheck.com/advisories/openclaw-unvalidated-group-id-acceptance-in-tool-group-policy

Code Behaviors & Features

Detect and mitigate CVE-2026-53863 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →