CVE-2026-53849
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
Risk Assessment
Organizations may be exposed to unauthorized access to resources, potentially leading to data leaks or abuse. Privilege escalation by attackers could threaten system integrity.
Recommendation
It is recommended to update OpenClaw to version 2026.5.7 or later to mitigate this vulnerability. Additionally, implementing further identity verification mechanisms for users is advisable.
Original NVD description (English source)
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

