CVE-2026-53849: Privilege Escalation and Authentication Bypass via Mutable Discord Display Names in OpenClaw allowFrom
Vulnerability ID: CVE-2026-53849
CVSS Score: 8.6
Published: 2026-06-18
OpenClaw before version 2026.5.7 contains a security vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names rather than immutable user IDs. This allows remote attackers to bypass authorization controls and escalate privileges by changing their Discord display or global names to match a configured policy entry.
TL;DR
OpenClaw before 2026.5.7 allows remote privilege escalation because its authentication policy checks mutable Discord display names instead of unique, immutable Snowflake IDs.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-290 (Authentication Bypass by Spoofing)
- Attack Vector: Network (AV:N)
- CVSS Score: 8.6 (High)
- EPSS Score: 0.00213 (0.213%)
- Impact: Privilege Escalation / Remote Command Execution
- Exploit Status: Proof of Concept (PoC)
- KEV Status: Not Listed
Affected Systems
- openclaw
-
openclaw: < 2026.5.7 (Fixed in:
2026.5.7)
Mitigation Strategies
- Upgrade openclaw dependency to version 2026.5.7 or later
- Migrate allowFrom configurations from display names to static, immutable 18-digit Discord Snowflake IDs
- Implement channel access restrictions inside Discord settings
Remediation Steps:
- Identify any configuration files utilizing allowFrom
- Replace text-based display names with the matching Discord Snowflake IDs
- Run npm install openclaw@2026.5.7 to update the package
- Restart the OpenClaw service and monitor logs to verify successful startup
References
Read the full report for CVE-2026-53849 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)