OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

AI Analysis

Policy enforcement vulnerability in OpenClaw's Zalo feature, allowing attackers to receive agent responses intended for different identities through mutable display name changes.

Basic Information

ID CVE-2026-53857

Source VulnCheck

Published Jun 16, 2026 at 18:05

Modified Jun 16, 2026 at 18:55

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-290

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor OpenClaw

Product OpenClaw

Version < 2026.5.3

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.",
    "published": "2026-06-16T18:05:05.109Z",
    "modified": "2026-06-16T18:55:30.841Z",
    "type": "cve",
    "title": "OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69\nhttps://www.vulncheck.com/advisories/openclaw-mutable-display-name-binding-in-zalo-allowfrom-policy",
    "id": "CVE-2026-53857",
    "bulletinFamily": "",
    "cwe": [
        "CWE-290"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "Policy enforcement vulnerability in OpenClaw's Zalo feature, allowing attackers to receive agent responses intended for different identities through mutable display name changes.",
    "ai_severity": "High",
    "ai_vendor": "OpenClaw",
    "ai_product": "OpenClaw",
    "ai_version": "< 2026.5.3",
    "ai_score": 8.6
}

OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy_CVE-2026-53857