CVE Catalog

CVE-2026-53849

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

12th percentile - higher than 12% of all known CVEs

Summary

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

Risk Assessment

Organizations may be exposed to unauthorized access to resources, potentially leading to data leaks or abuse. Privilege escalation by attackers could threaten system integrity.

Recommendation

It is recommended to update OpenClaw to version 2026.5.7 or later to mitigate this vulnerability. Additionally, implementing further identity verification mechanisms for users is advisable.

Original NVD description (English source)

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS