CVE-2026-53857
Received Received - Intake
Policy Enforcement Bypass in OpenClaw via Zalo Display Name

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53857
EUVD
EUVD-2026-37159
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects OpenClaw versions before 2026.5.3 and involves a policy enforcement flaw in the Zalo allowFrom feature.

Zalo contacts have mutable display metadata, meaning their display names can be changed. Due to this, the allowFrom policy entries can be matched incorrectly when display names are altered.

Attackers who can change their display names could exploit this flaw to receive agent responses intended for different Zalo identities, effectively bypassing authentication controls.

Impact Analysis

This vulnerability can lead to an authentication bypass through spoofing, allowing attackers to impersonate other Zalo identities by manipulating display names.

As a result, attackers could receive sensitive agent responses or information meant for other users, potentially exposing confidential data.

This could undermine trust in communications and lead to unauthorized access to information within systems using OpenClaw with the affected feature enabled.

Mitigation Strategies

To mitigate the vulnerability in OpenClaw before version 2026.5.3, you should take the following immediate steps:

  • Upgrade OpenClaw to version 2026.5.3 or later, where the vulnerability is patched.
  • Use stable Zalo identifiers instead of mutable display names to avoid spoofing.
  • Restrict friend access and keep allowlists narrow to limit exposure.
  • Avoid sharing Gateways between untrusted users.
  • Disable the affected allowFrom feature when it is not necessary.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart