{"vulnerability": "cve-2026-53844", "sightings": [{"uuid": "c07f9efb-db15-4472-bf4d-0ae669b92f79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53844", "type": "seen", "source": "https://gist.github.com/alon710/0d5ae642ba19f62c45be74e869a28ce0", "content": "# CVE-2026-53844: CVE-2026-53844: Missing Session Visibility Authorization Bypass in OpenClaw Shared Memory Search\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-53844\n\n## Summary\nA missing authorization vulnerability (CWE-862) exists within the shared memory search interface (memory-wiki) of OpenClaw prior to version 2026.4.29. The application fails to apply visibility controls to search queries targeting `/api/memory-wiki/search`. Consequently, an authenticated attacker with low-level privileges can query the global index and exfiltrate sensitive memory entries belonging to other active or historical sessions without authorization.\n\n## TL;DR\nOpenClaw versions before 2026.4.29 fail to enforce authorization checks (SessionVisibilityGuard) on its shared memory search API endpoint. This omission allows any low-privileged authenticated user to query and retrieve private memory and configuration logs from other active or historic sessions.\n\n## Technical Details\n\n- **CWE ID**: CWE-862: Missing Authorization\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 6.5 (Medium)\n- **CVSS v4.0 Score**: 6.0 (Medium)\n- **EPSS Score**: 0.0021\n- **Impact**: High Confidentiality Loss\n- **Exploit Status**: No public proof-of-concept exists\n- **CISA KEV Status**: Not listed\n\n## Affected Systems\n\n- OpenClaw instances running versions < 2026.4.29\n- **OpenClaw**: < 2026.4.29 (Fixed in: `2026.4.29`)\n\n## Mitigation\n\n- Upgrade OpenClaw deployment to version 2026.4.29 or newer.\n- Restrict network access to the API endpoints using external authorization proxies or API gateways.\n- Deploy Web Application Firewall rules to block wildcard query strings on the shared search path.\n\n**Remediation Steps:**\n1. Identify all OpenClaw instances running versions older than 2026.4.29.\n2. Pull the updated software version via the official registry or package manager.\n3. Verify that routes/memoryWiki.js incorporates the SessionVisibilityGuard middleware.\n4. Restart the OpenClaw service and perform validation tests using a low-privileged account to confirm that search results are restricted to the local session.\n\n## References\n\n- [OpenClaw Security Advisory (GHSA-72fw-cqh5-f324)](https://github.com/openclaw/openclaw/security/advisories/GHSA-72fw-cqh5-f324)\n- [VulnCheck Advisory for OpenClaw](https://www.vulncheck.com/advisories/openclaw-session-visibility-check-bypass-in-shared-memory-search)\n- [CVE.org CVE-2026-53844 Record](https://www.cve.org/CVERecord?id=CVE-2026-53844)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-53844) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T09:11:18.000000Z"}, {"uuid": "8c8601ef-f56b-494c-b16a-4666bb5d72db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53844", "type": "seen", "source": "https://gist.github.com/alon710/e9f4de9ef468ec9331512207326f51c3", "content": "# CVE-2026-53844: CVE-2026-53844: Missing Session Visibility Authorization Bypass in OpenClaw Shared Memory Search\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-53844\n\n## Summary\nA missing authorization vulnerability (CWE-862) exists within the shared memory search interface (memory-wiki) of OpenClaw prior to version 2026.4.29. The application fails to apply visibility controls to search queries targeting `/api/memory-wiki/search`. Consequently, an authenticated attacker with low-level privileges can query the global index and exfiltrate sensitive memory entries belonging to other active or historical sessions without authorization.\n\n## TL;DR\nOpenClaw versions before 2026.4.29 fail to enforce authorization checks (SessionVisibilityGuard) on its shared memory search API endpoint. This omission allows any low-privileged authenticated user to query and retrieve private memory and configuration logs from other active or historic sessions.\n\n## Technical Details\n\n- **CWE ID**: CWE-862: Missing Authorization\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 6.5 (Medium)\n- **CVSS v4.0 Score**: 6.0 (Medium)\n- **EPSS Score**: 0.0021\n- **Impact**: High Confidentiality Loss\n- **Exploit Status**: No public proof-of-concept exists\n- **CISA KEV Status**: Not listed\n\n## Affected Systems\n\n- OpenClaw instances running versions < 2026.4.29\n- **OpenClaw**: < 2026.4.29 (Fixed in: `2026.4.29`)\n\n## Mitigation\n\n- Upgrade OpenClaw deployment to version 2026.4.29 or newer.\n- Restrict network access to the API endpoints using external authorization proxies or API gateways.\n- Deploy Web Application Firewall rules to block wildcard query strings on the shared search path.\n\n**Remediation Steps:**\n1. Identify all OpenClaw instances running versions older than 2026.4.29.\n2. Pull the updated software version via the official registry or package manager.\n3. Verify that routes/memoryWiki.js incorporates the SessionVisibilityGuard middleware.\n4. Restart the OpenClaw service and perform validation tests using a low-privileged account to confirm that search results are restricted to the local session.\n\n## References\n\n- [OpenClaw Security Advisory (GHSA-72fw-cqh5-f324)](https://github.com/openclaw/openclaw/security/advisories/GHSA-72fw-cqh5-f324)\n- [VulnCheck Advisory for OpenClaw](https://www.vulncheck.com/advisories/openclaw-session-visibility-check-bypass-in-shared-memory-search)\n- [CVE.org CVE-2026-53844 Record](https://www.cve.org/CVERecord?id=CVE-2026-53844)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-53844) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T09:22:12.000000Z"}]}