ByteOS Network

NVD Vulnerability Details :

CVE-2026-53807

Analyzed

Source-disclosure@vulncheck.com

Published At-11 Jun, 2026 | 21:16

Updated At-12 Jun, 2026 | 19:33

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.7	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 4.0

Base score: 7.7

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CPE Matches

OpenClaw

>>openclaw>>Versions before 2026.5.6(exclusive)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Weaknesses

CWE ID	Type	Source
CWE-863	Primary	disclosure@vulncheck.com

CWE ID: CWE-863

Type: Primary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq	disclosure@vulncheck.com	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-telegram-interactive-callbacks-via-commands-allowfrom	disclosure@vulncheck.com	Third Party Advisory

Hyperlink: https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq

Source: disclosure@vulncheck.com

Resource:

Mitigation

Vendor Advisory

Hyperlink: https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-telegram-interactive-callbacks-via-commands-allowfrom

Source: disclosure@vulncheck.com

Resource:

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History