CVE-2026-53849

Vulnerability

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the allowFrom feature, which improperly validates Discord account identity using mutable display names instead of immutable user IDs [1][2]. The affected versions are all prior to 2026.5.7. The feature is intended to restrict agent access based on Discord identity, but due to this flaw, a policy entry can be matched by a different Discord account that changes its display name to match the allowed name.

Exploitation

An attacker with a Discord account can change their display name or global name to match a policy entry [1]. No further authentication or special network position is required; the allowFrom feature will treat the attacker as the intended identity and grant agent access. The attacker simply needs to mutate their display metadata to match an allowed name defined in the policy.

Impact

On successful exploitation, the attacker gains unauthorized agent access intended for another Discord identity [1][2]. The practical impact depends on the operator's configuration—such as what channels, tools, or data the agent can access—but could include unauthorized access to sensitive information or functionality. The confidentiality and integrity of identity-based access controls are bypassed.

Mitigation

The first stable patched version is 2026.5.7 [1]. As a workaround, use stable Discord user IDs in allowlists instead of mutable display names. Additional mitigations include keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when not needed [1]. No other workarounds have been disclosed.