CVE Catalog

CVE-2026-53860

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

OpenClaw before version 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity.

Risk Assessment

Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.

Recommendation

It is recommended to update OpenClaw to version 2026.5.7 or later to mitigate this vulnerability and review the access policy of the system.

Original NVD description (English source)

OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS