CVE-2026-53851 | OpenClaw before 2026.5.12 contains a notification bypass vul… | CVSS 5.3 MEDIUM

Description

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.

Metadata

CVE ID: CVE-2026-53851
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 21:21 UTC
Published: 2026-06-16 18:05 UTC
Last updated: 2026-06-16 18:55 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.5.12, 2026.5.12

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (2)

GitHub Security Advisory (GHSA-fcvx-5cxc-v5p8) https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8
VulnCheck Advisory: OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass https://www.vulncheck.com/advisories/openclaw-slack-reaction-event-notification-bypass