DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53857: CVE-2026-53857: Authentication Bypass via Mutable Display Name Spoofing in OpenClaw allowFrom Policy

#security #cve #cybersecurity

CVE-2026-53857: Authentication Bypass via Mutable Display Name Spoofing in OpenClaw allowFrom Policy

Vulnerability ID: CVE-2026-53857
CVSS Score: 8.6
Published: 2026-06-18

CVE-2026-53857 (GHSA-8c59-hr4w-qg69) is a high-severity authentication bypass vulnerability in OpenClaw (formerly Moltbot/Clawdbot) versions prior to 2026.5.3. The vulnerability arises from an insecure authorization mechanism in the Zalo messaging platform integration. Instead of matching access-control whitelist criteria to persistent and immutable user identifiers, the OpenClaw framework evaluated permissions based on mutable, user-controlled display names. An attacker can exploit this weakness by changing their Zalo profile display name to match a legitimate identity authorized in the allowFrom policy, gaining full access to restricted agent capabilities.

TL;DR

OpenClaw versions prior to 2026.5.3 authenticate Zalo users using their mutable display names rather than unique user IDs. Attackers can bypass access controls simply by changing their display name to match an authorized user's name.

Technical Details

  • CWE ID: CWE-290 (Authentication Bypass by Spoofing)
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 8.6 (High)
  • EPSS Score: 0.00213 (Percentile: 11.50%)
  • Impact: High Confidentiality, High Integrity (VC:H/VI:H)
  • Exploit Status: No public exploits or weaponized PoCs available
  • KEV Status: Not listed in the CISA KEV Catalog

Affected Systems

  • OpenClaw Integration Framework
  • OpenClaw: < 2026.5.3 (Fixed in: 2026.5.3)

Mitigation Strategies

  • Upgrade OpenClaw installations to version 2026.5.3 or later to enforce immutable user ID validation.
  • Deactivate the Zalo messaging integration channel entirely if immediate patching cannot be performed.
  • Restrict the bot account settings within the Zalo platform to reject automatic buddy or contact requests.

Remediation Steps:

  1. Identify all deployed instances of the OpenClaw framework running version ranges prior to 2026.5.3.
  2. Pull the official patch update from the upstream repository or update the package dependencies to 2026.5.3.
  3. Update your allowFrom configurations by replacing any human-readable display names with the immutable, unique Zalo Account IDs for all authorized personnel.
  4. Restart the OpenClaw service and review the initialization logs to verify that the parsing engine is active and verifying the newly formatted IDs.

References

Read the full report for CVE-2026-53857 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)