CVE-2026-53811: OpenClaw privilege escalation

CISO Take

OpenClaw before 2026.5.7 contains an access control flaw in its Matrix allowFrom feature that evaluates policy entries against mutable display name metadata rather than immutable identifiers, allowing any authenticated user to change their display name to match a policy entry and receive agent permissions intended for a different Matrix identity. With a CVSS of 8.8 and an attack vector requiring only a low-privilege account with no user interaction, the exploit path is effectively trivial — an insider or compromised service account can impersonate any whitelisted identity without brute force or specialized tooling. This is particularly consequential for multi-agent deployments where different Matrix identities hold different permission tiers, as the blast radius extends to every tool, data source, and API accessible under the spoofed identity. Organizations should patch to 2026.5.7 immediately and audit existing allowFrom policies to replace any display-name-based selectors with immutable Matrix user IDs.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

HIGH. CVSS 8.8 reflects a network-exploitable, low-complexity vulnerability requiring only authenticated access with no user interaction. CWE-290 (Authentication Bypass by Spoofing) via mutable metadata makes exploitation self-evident from the advisory description, compressing time-to-exploit even without a public PoC. No CISA KEV listing as of analysis date, and EPSS data is unavailable, but the trivial nature of the technique and the OpenClaw ecosystem's documented prior abuse (AIID #1368: malicious skills delivering credential stealers) elevate practical risk. The package has 155 prior CVEs and 4 downstream dependents, suggesting an actively targeted attack surface.

How does the attack unfold?

Initial Access

Attacker obtains or already holds a low-privilege Matrix-integrated OpenClaw account — the only prerequisite, exploitable over the network with no user interaction required.

AML.T0012

Identity Spoofing

Attacker changes their Matrix display name to exactly match a display name whitelisted in an allowFrom policy entry that grants a higher-privilege agent identity.

AML.T0074

Privilege Escalation

OpenClaw evaluates the allowFrom policy against the now-matching display name and grants the attacker the permissions — tools, APIs, orchestration rights — scoped to the impersonated identity.

AML.T0091

Impact

Attacker operates with elevated agent authority, invoking privileged tools to exfiltrate credentials or sensitive data, pivot across the multi-agent environment, or disrupt connected AI pipelines.

AML.T0086

Initial Access

Attacker obtains or already holds a low-privilege Matrix-integrated OpenClaw account — the only prerequisite, exploitable over the network with no user interaction required.

AML.T0012

Identity Spoofing

Attacker changes their Matrix display name to exactly match a display name whitelisted in an allowFrom policy entry that grants a higher-privilege agent identity.

AML.T0074

Privilege Escalation

OpenClaw evaluates the allowFrom policy against the now-matching display name and grants the attacker the permissions — tools, APIs, orchestration rights — scoped to the impersonated identity.

AML.T0091

Impact

Attacker operates with elevated agent authority, invoking privileged tools to exfiltrate credentials or sensitive data, pivot across the multi-agent environment, or disrupt connected AI pipelines.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Upgrade to OpenClaw >= 2026.5.7 immediately (patch referenced in GHSA-7hxm-f538-3xp6).
Audit all Matrix allowFrom policy entries: replace every display-name-based selector with the immutable Matrix user ID (MXID) format (@user:homeserver). Display names must never serve as the sole identity anchor for authorization decisions.
Review Matrix homeserver logs for display name changes in the period preceding patching; cross-reference with allowFrom grant activity to identify potential abuse windows.
If immediate patching is not feasible, disable or restrict the Matrix allowFrom feature and enforce access via out-of-band controls until patched.
Enforce least-privilege on display name edit rights at the Matrix homeserver level as a defense-in-depth measure.

How is it classified?

Auth Bypass Data Extraction Agent AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0073 - Impersonation AML.T0074 - Masquerading AML.T0081 - Modify AI Agent Configuration AML.T0091 - Use Alternate Authentication Material AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.4 - AI system access control A.9.4 - Access control to AI system resources

NIST AI RMF

GOVERN 1.1 - AI risk governance and policies MANAGE 4.1 - Post-deployment AI risk monitoring and management

OWASP LLM Top 10

LLM06 - Excessive Agency LLM08:2025 - Excessive Agency

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors high confidence

AIID #1368 documents credential exfiltration and unauthorized access via malicious OpenClaw skills in the same platform affected by this CVE. This privilege escalation vulnerability could provide the elevated agent permissions needed to publish, invoke, or abuse skills in ways consistent with the reported credential-stealing attack pattern in the OpenClaw ecosystem.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53811?

OpenClaw before 2026.5.7 contains an access control flaw in its Matrix allowFrom feature that evaluates policy entries against mutable display name metadata rather than immutable identifiers, allowing any authenticated user to change their display name to match a policy entry and receive agent permissions intended for a different Matrix identity. With a CVSS of 8.8 and an attack vector requiring only a low-privilege account with no user interaction, the exploit path is effectively trivial — an insider or compromised service account can impersonate any whitelisted identity without brute force or specialized tooling. This is particularly consequential for multi-agent deployments where different Matrix identities hold different permission tiers, as the blast radius extends to every tool, data source, and API accessible under the spoofed identity. Organizations should patch to 2026.5.7 immediately and audit existing allowFrom policies to replace any display-name-based selectors with immutable Matrix user IDs.

Is CVE-2026-53811 actively exploited?

No confirmed active exploitation of CVE-2026-53811 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53811?

1. Upgrade to OpenClaw >= 2026.5.7 immediately (patch referenced in GHSA-7hxm-f538-3xp6). 2. Audit all Matrix allowFrom policy entries: replace every display-name-based selector with the immutable Matrix user ID (MXID) format (@user:homeserver). Display names must never serve as the sole identity anchor for authorization decisions. 3. Review Matrix homeserver logs for display name changes in the period preceding patching; cross-reference with allowFrom grant activity to identify potential abuse windows. 4. If immediate patching is not feasible, disable or restrict the Matrix allowFrom feature and enforce access via out-of-band controls until patched. 5. Enforce least-privilege on display name edit rights at the Matrix homeserver level as a defense-in-depth measure.

What systems are affected by CVE-2026-53811?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, LLM-connected agent pipelines.

What is the CVSS score for CVE-2026-53811?

CVE-2026-53811 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationLLM-connected agent pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0073 Impersonation

AML.T0074 Masquerading

AML.T0081 Modify AI Agent Configuration

AML.T0091 Use Alternate Authentication Material

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.4, A.9.4

NIST AI RMF: GOVERN 1.1, MANAGE 4.1

OWASP LLM Top 10: LLM06, LLM08:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration.

Exploitation Scenario

An attacker holding a low-privilege OpenClaw service account integrated via Matrix enumerates allowFrom policies through agent configuration files or error messages. They identify a display name used to gate elevated access — for example, a trusted orchestration identity labeled 'sec-pipeline-bot'. The attacker renames their Matrix account to 'sec-pipeline-bot' through standard profile settings. When OpenClaw next evaluates the allowFrom policy, it matches the spoofed display name and grants the attacker the agent permissions scoped to the legitimate orchestration bot: access to connected LLM APIs, stored credentials in agent tool definitions, and orchestration rights over downstream agents. The attacker now operates with elevated agent authority, exfiltrating credentials via tool invocations or pivoting across the multi-agent environment without triggering identity-based alerts.