CVE-2026-53860
Received Received - Intake
Sender Policy Bypass in OpenClaw BlueBubbles via Metadata Spoofing

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53860
EUVD
EUVD-2026-37162
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bluebubbles openclaw to 2026.5.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53860 is a sender policy bypass vulnerability in the BlueBubbles component of OpenClaw versions before 2026.5.7. It allows attackers to manipulate conversation metadata, such as conversation-level identifiers, to bypass the sender allowlist. Instead of relying on a stable sender identity, the vulnerability lets attackers match allowlist entries through mutable conversation metadata, potentially receiving responses intended for authorized senders without proper authentication.

Impact Analysis

This vulnerability can allow unauthorized participants to receive agent responses that were intended only for configured and authorized senders. By bypassing access controls through manipulated conversation metadata, attackers may gain access to information or interactions not meant for them. The practical impact depends on the operator's configuration and whether untrusted inputs can reach the vulnerable feature. If exploited, it could lead to information disclosure or unauthorized access within affected BlueBubbles groups.

Mitigation Strategies

To mitigate the sender policy bypass vulnerability in OpenClaw's BlueBubbles component, you should immediately upgrade to version 2026.5.7 or later where the issue is patched.

  • Prefer stable sender identifiers over mutable conversation metadata.
  • Restrict BlueBubbles groups until the patch is applied.
  • Narrow channel and tool allowlists to limit exposure.
  • Avoid sharing Gateways between untrusted users.
  • Disable the affected BlueBubbles feature if it is not necessary.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart