CVE-2026-53837
3.7 LOWOpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel ty...
Published: 2026-06-12 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-636
Affected products
| Vendor | Product |
|---|---|
| openclaw | openclaw |
Description
OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-53839 — OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes ins... (6.5 MEDIUM)
- CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
- CVE-2026-53836 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to exec... (8.8 HIGH)
- CVE-2026-53835 — OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authentic... (4.3 MEDIUM)
- CVE-2026-53834 — OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated s... (7.5 HIGH)
Same CWE
- CVE-2026-53852 — OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to r... (5.4 MEDIUM)
- CVE-2026-49318 — Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows ... (2.4 LOW)
- CVE-2026-49317 — Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows ... (2.4 LOW)
- CVE-2026-42246 — Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby (7.4 HIGH)