CVE-2026-53857 | OpenClaw before 2026.5.3 contains a policy enforcement vulne… | CVSS 8.1 HIGH

Description

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

Metadata

CVE ID: CVE-2026-53857
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 21:22 UTC
Published: 2026-06-16 18:05 UTC
Last updated: 2026-06-18 03:55 UTC
Primary CWE: CWE-290
Authentication Bypass by Spoofing
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.5.3, 2026.5.3

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	Authentication Bypass by Spoofing

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (2)

GitHub Security Advisory (GHSA-8c59-hr4w-qg69) https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69
VulnCheck Advisory: OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy https://www.vulncheck.com/advisories/openclaw-mutable-display-name-binding-in-zalo-allowfrom-policy