Lucene search
+L

21 matches found

EUVD
EUVD
added 11 hours ago4 views

EUVD-2026-45112

OpenClaw MS Teams before 2026.5.12 contain an authorization bypass vulnerability where the allowFrom feature binds to mutable display names. Attackers with lower-trust access can perform actions requiring stronger authorization by exploiting the mutable display name binding in the affected featur...

5.4CVSS6.1AI score
Exploits0References2
OSV
OSV
added 2026/06/18 8:36 p.m.6 views

GHSA-CW4Q-GQG5-G38H OpenClaw: Discord allowFrom could bind to mutable display names

Summary Discord allowFrom could bind to mutable display names. In affected versions, a Discord account able to change display or global name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change...

8.6CVSS5.7AI score0.00267EPSS
Exploits0References4
OSV
OSV
added 2026/06/18 8:17 p.m.6 views

GHSA-8C59-HR4W-QG69 OpenClaw: Zalo allowFrom could bind to mutable display names

Summary Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.6CVSS5.6AI score0.00225EPSS
Exploits0References4
NVD
NVD
added 2026/06/16 7:17 p.m.9 views

CVE-2026-53857

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when...

8.6CVSS0.00225EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:5 p.m.22 views

CVE-2026-53857

OpenClaw before 2026.5.3 is vulnerable: the policy enforcement flaw allows Zalo display-name changes to influence allowFrom policy matching, causing attackers with mutable display names to receive responses intended for other Zalo identities when the feature is enabled. Affected product: OpenClaw...

8.6CVSS5.3AI score0.00225EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/16 6:5 p.m.4 views

CVE-2026-53857 OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when...

8.6CVSS6AI score0.00225EPSS
Exploits0References5
CVE
CVE
added 2026/06/16 6:4 p.m.25 views

CVE-2026-53849

CVE-2026-53849 — OpenClaw prior to 2026.5.7 : A privilege-escalation in which the allowFrom feature validates Discord identity via mutable display names instead of immutable user IDs. An attacker with a Discord account can alter their display name to align with a policy entry and gain unauthorize...

8.6CVSS5.3AI score0.00267EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-49774

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A policy enforcement issue exists where Zalo contacts with mutable display metadata can match allowFrom policy entries by changing their display names. This allows attackers with mutable display...

8.6CVSS5.2AI score0.00225EPSS
Exploits0References5
NVD
NVD
added 2026/06/12 10:16 p.m.14 views

CVE-2026-53823

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS0.00209EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.9 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS5.3AI score0.00209EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.34 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.30 views

CVE-2026-53823

OpenClaw is affected by a privilege-escalation vulnerability in the allowFrom feature, where binding to mutable Slack display names enables an attacker with Slack account access to alter display name metadata to match policy entries and gain unauthorized agent access intended for other identities...

8.6CVSS5.3AI score0.00209EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/12 9:56 p.m.5 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS6AI score0.00209EPSS
Exploits0References5
CVE
CVE
added 2026/06/11 8:7 p.m.30 views

CVE-2026-53811

OpenClaw is affected up to version 2026.5.7. The vulnerability is a privilege escalation in the Matrix allowFrom feature caused by mutable display name metadata, allowing authenticated accounts to match policy entries and receive agent access intended for another Matrix identity. Depending on ope...

8.8CVSS5.5AI score0.00309EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/11 8:7 p.m.32 views

CVE-2026-53811 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

8.8CVSS0.00309EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 8:7 p.m.10 views

CVE-2026-53811 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

8.8CVSS5.2AI score0.00309EPSS
Exploits0References2
OSV
OSV
added 2026/06/11 8:7 p.m.5 views

CVE-2026-53811 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

7.7CVSS6AI score0.00309EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/09 9:26 p.m.22 views

CVE-2026-35617 OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources...

4.2CVSS0.00236EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/29 3:48 p.m.9 views

OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName

Summary Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Google Chat group...

5.4CVSS5.9AI score0.00236EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/19 10:6 p.m.5 views

CVE-2026-32021

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass...

6.3CVSS5.8AI score0.00205EPSS
Exploits0References4
Rows per page
Query Builder