VYPR
← All advisories
High severity8.1NVD Advisory· Published Jun 12, 2026

CVE-2026-53823

CVE-2026-53823

Description

OpenClaw before 2026.5.3 allows privilege escalation via the allowFrom feature by binding to mutable Slack display names, enabling attackers to impersonate other identities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.5.3 allows privilege escalation via the allowFrom feature by binding to mutable Slack display names, enabling attackers to impersonate other identities.

Vulnerability

OpenClaw versions before 2026.5.3 contain a privilege escalation vulnerability in the allowFrom feature, which binds to mutable Slack display names instead of stable user IDs [1][2]. When the feature is enabled, an attacker with Slack account access can change their display name to match a policy entry, potentially gaining unauthorized agent access intended for another identity [1].

Exploitation

An attacker needs only a Slack account with the ability to change their display name metadata [1]. No additional privileges or user interaction are required. The attacker changes their display name to match an entry in the allowFrom allowlist, then accesses the OpenClaw agent as that identity [2].

Impact

Successful exploitation allows the attacker to bypass authentication and gain agent access intended for another Slack identity [1]. This can lead to privilege escalation within the OpenClaw environment, depending on the permissions associated with the impersonated identity [2]. The CIA impact is primarily unauthorized access (confidentiality and integrity) at the level of the impersonated user.

Mitigation

The vulnerability is fixed in OpenClaw version 2026.5.3 [1]. As a workaround, operators should use stable Slack user IDs in allowlists instead of display names, keep channel and tool allowlists narrow, avoid sharing a Gateway between mutually untrusted users, and disable the allowFrom feature when not needed [1]. No known exploitation in the wild has been reported as of the advisory publication.

References
  1. Slack allowFrom could bind to mutable display names
  2. OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
06d46f7cf638

chore(release): refresh base config schema

https://github.com/OpenClaw/OpenClawPeter SteinbergerMay 4, 2026Fixed in 2026.5.3via release-tag
commit
1 file changed · +1 1
  • src/config/schema.base.generated.ts+1 1 modified
    @@ -29360,6 +29360,6 @@ export const GENERATED_BASE_CONFIG_SCHEMA: BaseConfigSchemaResponse = {
       tags: ["advanced", "url-secret"],
     },
   },
-  version: "2026.5.3-beta.4",
+  version: "2026.5.3",
   generatedAt: "2026-03-22T21:17:33.302Z",
 };

Vulnerability mechanics

Root cause

"The allowFrom feature resolves policy entries against mutable Slack display names instead of an immutable user identifier, allowing an attacker to impersonate another identity by changing their display name."

Attack vector

An attacker with Slack account access changes their own Slack display name to match a display name listed in an `allowFrom` policy entry. Because OpenClaw resolves the policy against the mutable display-name metadata rather than an immutable identifier, the attacker's session is granted agent access intended for a different identity. The attack is network-accessible, requires low privileges (a valid Slack account), and needs no user interaction.

Affected code

The patch only bumps the schema version string from `2026.5.3-beta.4` to `2026.5.3` in `src/config/schema.base.generated.ts`. No functional code change is present, so the patch does not reveal which code path contains the privilege escalation defect. The advisory describes the vulnerability as residing in the `allowFrom` feature that binds to mutable Slack display names.

What the fix does

The supplied patch only updates the schema version string from `2026.5.3-beta.4` to `2026.5.3` and does not contain any functional change. The advisory states that the vulnerability is fixed in OpenClaw 2026.5.3, but the commit shown does not alter the `allowFrom` logic or how display names are resolved. Without a visible code fix, the remediation appears to be a release cut that presumably includes an undisclosed change elsewhere in the repository.

Preconditions

  • authAttacker must have a valid Slack account that can change their display name.
  • configThe target OpenClaw instance must have an allowFrom policy that matches Slack display names.
  • networkNetwork access to the OpenClaw agent endpoint is required.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.