VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 11, 2026

CVE-2026-53815

CVE-2026-53815

Description

OpenClaw before 2026.5.19 allows lower-trust callers to read messages from unauthorized channels due to missing allowlist checks in message read actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.5.19 allows lower-trust callers to read messages from unauthorized channels due to missing allowlist checks in message read actions.

Vulnerability

OpenClaw before version 2026.5.19 contains an authorization bypass vulnerability in its message read actions. The software fails to enforce channel allowlist checks when processing certain read requests, allowing lower-trust callers to access messages from channels they are not permitted to read [1][2]. This affects the message read feature when enabled and reachable [1].

Exploitation

An attacker with low privileges (requiring network access but no user interaction) can exploit the insufficient validation by sending specially crafted requests to the affected message read action. The attacker does not need to be authenticated as a trusted operator; they only need access to the vulnerable feature endpoint [1][2]. The attack complexity is low, and no special conditions beyond network access are required [2].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive channel messages. The confidentiality impact is high, as messages from channels not intended for the caller can be exposed [2]. No integrity or availability impact is involved. The attacker gains read access to potentially sensitive communications without proper authorization.

Mitigation

The vulnerability is fixed in version 2026.5.19 [1]. As a workaround, operators should limit access to message read actions to trusted operators, keep channel allowlists narrow, and disable the affected feature when not needed [1]. There is no indication of active exploitation or inclusion on the CISA KEV list.

References
  1. Message read actions could skip channel allowlist checks
  2. OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenClaw/Openclawinferred2 versions
    <2026.5.19+ 1 more
    • (no CPE)range: <2026.5.19
    • (no CPE)range: <2026.5.19

Patches

1
a185ca283a74

test: align release timeout budget expectations

https://github.com/OpenClaw/OpenClawPeter SteinbergerMay 20, 2026Fixed in 2026.5.19via release-tag
commit
1 file changed · +1 1
  • test/scripts/package-acceptance-workflow.test.ts+1 1 modified
    @@ -978,7 +978,7 @@ describe("package artifact reuse", () => {
     }
 
     expect(fullRelease.jobs?.release_checks?.["timeout-minutes"]).toBe(
-      "${{ inputs.release_profile == 'full' && 240 || 60 }}",
+      "${{ inputs.release_profile != 'minimum' && 240 || 60 }}",
     );
     expect(fullRelease.jobs?.prepare_release_package?.["timeout-minutes"]).toBe(15);
     expect(releaseChecks.jobs?.prepare_release_package?.["timeout-minutes"]).toBe(15);

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

2

News mentions

0

No linked articles in our index yet.