Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53857

CVE-2026-53857: Openclaw Auth Bypass Vulnerability

CVE-2026-53857 is an authentication bypass flaw in Openclaw that exploits mutable Zalo display names to circumvent policy enforcement. Attackers could receive responses meant for other identities. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-53857 Overview

CVE-2026-53857 is a policy enforcement vulnerability in OpenClaw versions before 2026.5.3. The flaw allows Zalo contacts with mutable display metadata to match allowFrom policy entries through display name changes. Attackers controlling mutable display names can receive agent responses intended for different Zalo identities when the affected feature is enabled. The issue is categorized as improper authentication [CWE-290], where the system relies on a mutable attribute as an identity binding. The vulnerability carries a CVSS 4.0 score of 8.6 and affects the openclaw:openclaw Node.js package.

Critical Impact

An authenticated attacker with a mutable Zalo display name can intercept agent responses intended for other identities, resulting in confidentiality and integrity loss.

Affected Products

  • OpenClaw openclaw Node.js package versions prior to 2026.5.3
  • Deployments using Zalo contact integration with allowFrom policy entries
  • Agent workflows where the Zalo display-name matching feature is enabled

Discovery Timeline

  • 2026-06-16 - CVE-2026-53857 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-53857

Vulnerability Analysis

The vulnerability stems from how OpenClaw evaluates allowFrom policy entries against incoming Zalo contacts. Policy matching uses display metadata that the contact owner can modify at any time. Because the display name acts as the identity binding, any Zalo user can set their display name to match an entry permitted in allowFrom. The agent then treats the impersonating contact as an authorized identity.

Once matched, the agent routes responses intended for the legitimate identity to the attacker's session. The flaw resides in the policy enforcement layer rather than the underlying messaging transport. The attack does not require defeating Zalo authentication, only modifying a profile attribute under the attacker's control.

Root Cause

The root cause is reliance on a mutable, attacker-controlled identifier for authentication decisions [CWE-290]. The allowFrom policy compares the inbound contact's display name string against allow-list entries instead of binding to an immutable Zalo identifier. Display name mutability is a standard feature of the Zalo platform, so the policy check provides no real identity guarantee.

Attack Vector

An attacker with low privileges and network access to an OpenClaw deployment performs the attack remotely without user interaction. The attacker enumerates or guesses display names listed in the target's allowFrom policy. After renaming their Zalo account to match an authorized entry, the attacker initiates contact with the agent. The agent matches the spoofed display name and delivers responses originally scoped to the legitimate identity.

The vulnerability mechanism is described in the VulnCheck Advisory on OpenClaw and the GitHub Security Advisory GHSA-8c59-hr4w-qg69.

Detection Methods for CVE-2026-53857

Indicators of Compromise

  • Zalo contacts whose display name changed shortly before initiating interaction with an OpenClaw agent.
  • Agent response logs showing replies sent to contact identifiers that differ from prior conversation history under the same display name.
  • Multiple Zalo accounts sharing the same display name within a short observation window.

Detection Strategies

  • Audit allowFrom policy hits and correlate each match against the immutable Zalo user identifier rather than the display name string.
  • Alert when an inbound Zalo contact matches an allowFrom entry but the underlying user identifier has not been seen previously.
  • Review OpenClaw application logs for display-name churn on contacts that subsequently triggered policy matches.

Monitoring Recommendations

  • Forward OpenClaw and Zalo integration logs to a centralized analytics platform for anomaly detection on identity binding events.
  • Track changes to allowFrom policy entries and the population of contacts that match them over time.
  • Monitor for agent responses delivered to recipients whose contact metadata was modified within the prior 24 hours.

How to Mitigate CVE-2026-53857

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.5.3 or later on all deployments using the Zalo connector.
  • Disable the Zalo display-name matching feature until the patched release is deployed.
  • Review allowFrom policy entries and replace display-name based references with immutable Zalo identifiers where supported.

Patch Information

The vendor released OpenClaw 2026.5.3 to address CVE-2026-53857. Patch notes and remediation details are published in the GitHub Security Advisory GHSA-8c59-hr4w-qg69. Operators running earlier 2026.x releases should upgrade through the standard npm update process and restart the agent service.

Workarounds

  • Disable Zalo integration entirely if upgrading is not immediately feasible.
  • Restrict allowFrom policies to internal identities that cannot be impersonated through display name changes.
  • Implement an out-of-band verification step before the agent transmits sensitive responses to Zalo contacts.
bash
# Upgrade the OpenClaw package to the patched release
npm install openclaw@2026.5.3

# Verify the installed version
npm ls openclaw

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne