CVE-2026-53807
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
OpenClaw before version 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.
Risk Assessment
This vulnerability may lead to unauthorized access to system functions, posing a risk of abuse and potential attacks on the organization. It allows attackers to operate in a way that bypasses security measures, which can lead to serious consequences.
Recommendation
It is recommended to update OpenClaw to version 2026.5.6 or later to mitigate this vulnerability. Additionally, conducting a security audit to identify and minimize risks associated with this vulnerability is advisable.
Original NVD description (English source)
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.

