CVE-2026-53857 OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy

🗓️ 16 Jun 2026 18:05:05Reported by VulnCheckType

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent resp...

Reporter	Title	Published	Views	Family All 6
Circl	CVE-2026-53857	16 Jun 202620:01	–	circl
CVE	CVE-2026-53857	16 Jun 202618:05	–	cve
EUVD	EUVD-2026-37159	16 Jun 202621:31	–	euvd
NVD	CVE-2026-53857	16 Jun 202619:17	–	nvd
Positive Technologies	PT-2026-49774	16 Jun 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-53857 OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy	16 Jun 202618:05	–	vulnrichment

[
  {
    "vendor": "OpenClaw",
    "product": "OpenClaw",
    "defaultStatus": "unaffected",
    "packageURL": "pkg:npm/openclaw",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "versionType": "semver",
        "lessThan": "2026.5.3"
      },
      {
        "version": "2026.5.3",
        "status": "unaffected",
        "versionType": "semver"
      }
    ],
    "repo": "https://github.com/openclaw/openclaw"
  }
]

Source	Link
github	www.github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69
vulncheck	www.vulncheck.com/advisories/openclaw-mutable-display-name-binding-in-zalo-allowfrom-policy

16 Jun 2026 18:05Current

CVSS 3.18.1

CVSS 48.6

CWE-290