CVE-2026-53807
HIGH WAF: Low
CVSS 8.8
Published: 2026-06-11
CWE-863
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.5.6 |
References
- github.com (Mitigation, Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)