CVE-2026-53849
8.1 HIGHOpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account i...
Published: 2026-06-16 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-290
Description
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53857 — OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowF... (8.1 HIGH)
- CVE-2026-42662 — Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions (6.5 MEDIUM)
- CVE-2026-27089 — Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions (7.5 HIGH)
- CVE-2026-36537 — ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange (9.8 CRITICAL)
- CVE-2026-49757 — Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC ...