CVE-2026-53860
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
OpenClaw before version 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity.
Risk Assessment
Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
Recommendation
It is recommended to update OpenClaw to version 2026.5.7 or later to mitigate this vulnerability and review the access policy of the system.
Original NVD description (English source)
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.

