CVE Catalog

CVE-2026-53807

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

14th percentile - higher than 14% of all known CVEs

Summary

OpenClaw before version 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.

Risk Assessment

This vulnerability may lead to unauthorized access to system functions, posing a risk of abuse and potential attacks on the organization. It allows attackers to operate in a way that bypasses security measures, which can lead to serious consequences.

Recommendation

It is recommended to update OpenClaw to version 2026.5.6 or later to mitigate this vulnerability. Additionally, conducting a security audit to identify and minimize risks associated with this vulnerability is advisable.

Original NVD description (English source)

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS