CVE-2026-53849 | OpenClaw before 2026.5.7 contains a privilege escalation vul… | CVSS 8.1 HIGH

Description

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

Metadata

CVE ID: CVE-2026-53849
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 21:21 UTC
Published: 2026-06-16 18:04 UTC
Last updated: 2026-06-18 03:55 UTC
Primary CWE: CWE-290
Authentication Bypass by Spoofing
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.5.7, 2026.5.7

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	Authentication Bypass by Spoofing

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (2)

GitHub Security Advisory (GHSA-cw4q-gqg5-g38h) https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h
VulnCheck Advisory: OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-mutable-discord-display-names-in-allowfrom