CVE-2026-53849

HIGH EPSS 18.2%

Published Jun 16, 20261w ago · Modified Jun 18, 20261w ago

8.6 CVSS 4.0

High

Published Jun 16, 2026 1w ago

Last Modified Jun 18, 2026 1w ago

Description

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

CVSS Details

Base Score

8.6

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

18.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-290

Affected Products 2

Vendor	Product	Version	Range
openclaw	openclaw	*	<2026.5.7
openclaw	openclaw	2026.5.7	any

References 2

github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h

Vendor Advisory
vulncheck.com https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-mutable-discord-display-names-in-allowfrom

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.