CVE-2026-53857

Vulnerability

OpenClaw before version 2026.5.3 contains a policy enforcement vulnerability (CWE-290) where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes [1][2]. The feature must be enabled and reachable for the bug to be exploitable. The vulnerability does not change OpenClaw's trusted-operator model; authenticated Gateway operators and installed plugins remain trusted unless crossing a separate security boundary [1].

Exploitation

An attacker needs to be a Zalo contact with the ability to change their display name (mutable display metadata). The attacker changes their display name to match an allowFrom policy entry that is intended for a different Zalo identity [1][2]. The attacker does not require network-level access beyond being a contact; the exploitation relies on the policy binding to mutable display names rather than stable identifiers [2].

Impact

Successful exploitation allows the attacker to receive agent responses that were intended for another Zalo identity [1][2]. The practical impact depends on the operator's configuration and whether lower-trust input can reach the affected path; potential consequences include information disclosure or impersonation of other Zalo contacts [1].

Mitigation

The first stable patched version is 2026.5.3 [1][2]. As workarounds until patching, use stable Zalo identifiers where available, keep friend access restricted, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when not needed [1].