CVE-2026-53857

HIGH

OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-8c59-hr4w-qg69)
https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy
https://www.vulncheck.com/advisories/openclaw-mutable-display-name-binding-in-zalo-allowfrom-policy

Scores

CVSS v3 8.1
EPSS 0.0022
EPSS Percentile 13.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-290
Status published
Products (4)
npm/openclaw 0 - 2026.5.3npm
OpenClaw/OpenClaw < 2026.5.3
openclaw/openclaw < 2026.5.3
OpenClaw/OpenClaw 2026.5.3
Published Jun 16, 2026
Tracked Since Jun 17, 2026