CVE-2026-53815
Analyzed Analyzed - Analysis Complete

Authorization Bypass in OpenClaw Message Read Actions

Vulnerability report for CVE-2026-53815, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: VulnCheck

Description

OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.19 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.5.19 and involves an authorization bypass in the message read actions.

Specifically, the vulnerability allows lower-trust callers to bypass channel allowlist checks, meaning they can request and access messages from channels that are not intended for them.

This happens due to insufficient validation in the affected feature, which skips proper authorization controls.

Impact Analysis

The impact of this vulnerability is that unauthorized users with lower trust levels can access sensitive messages from channels they should not have permission to view.

This exposure of sensitive channel messages can lead to information leakage and compromise confidentiality within the affected system.

Compliance Impact

This vulnerability allows lower-trust callers to bypass authorization checks and access sensitive messages from channels not intended for them, potentially exposing sensitive information.

Such unauthorized exposure of sensitive information could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

The practical impact on compliance depends on the operator's configuration and whether untrusted users can exploit the vulnerability to access protected data.

Mitigation steps include limiting message read actions to trusted operators, maintaining narrow channel allowlists, and disabling the affected feature when not needed to reduce the risk of unauthorized data exposure.

Mitigation Strategies

To mitigate the authorization bypass vulnerability in OpenClaw before version 2026.5.19, operators should take the following immediate steps:

  • Limit message read actions to trusted operators only.
  • Keep channel allowlists narrow to restrict access.
  • Avoid sharing a single Gateway between mutually untrusted users.
  • Disable the affected message read feature when it is not needed.

Additionally, upgrading to OpenClaw version 2026.5.19 or later, where this issue is patched, is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart