CVE-2026-53835
Received Received - Intake
Path Traversal in OpenClaw Feishu Extension

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulnCheck

Description
OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the dynamic-agent binding feature to change sender-agent binding state beyond intended policy, potentially enabling unauthorized binding modifications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53835
EUVD
EUVD-2026-36623
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.5.6 and involves a configuration enforcement bypass in the Feishu dynamic-agent bindings feature.

Specifically, authenticated senders can create or update bindings without the system enforcing the configured config-write controls, meaning the intended restrictions on modifying bindings are not properly applied.

Attackers can exploit this flaw by using the dynamic-agent binding feature to change the sender-agent binding state beyond what the policy intends, potentially allowing unauthorized modifications.

Impact Analysis

The vulnerability allows attackers with authentication to bypass configuration controls and modify sender-agent bindings in ways not intended by policy.

This could lead to unauthorized changes in the system's binding state, potentially undermining security policies and allowing actions that should be restricted.

While the impact is limited by the need for authentication, it still poses a risk of unauthorized configuration changes that could affect system behavior or security posture.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53835. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart