CVE-2026-53849

HIGH

OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-cw4q-gqg5-g38h)
https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-mutable-discord-display-names-in-allowfrom

Scores

CVSS v3 8.1
EPSS 0.0027
EPSS Percentile 18.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-290
Status published
Products (5)
npm/openclaw 0 - 2026.5.7npm
openclaw/openclaw 2026.5.7 beta1
OpenClaw/OpenClaw < 2026.5.7
openclaw/openclaw < 2026.5.7
OpenClaw/OpenClaw 2026.5.7
Published Jun 16, 2026
Tracked Since Jun 17, 2026