CVE-2026-53849: OpenClaw auth bypass

CISO Take

OpenClaw's allowFrom access control grants agent permissions based on Discord display names — a field any user can change at will — rather than immutable Discord user IDs. Any low-privileged Discord account holder can change their display name to match a policy entry and immediately assume the full access level of the impersonated identity, making this trivially exploitable with zero technical barrier. The CVSS 8.1 vector (network-accessible, low complexity, low privileges, no user interaction) accurately reflects the severity: there is no EPSS data yet and no KEV classification, but the absence of a technical barrier means exploitation is effectively guaranteed once awareness spreads. Teams running OpenClaw before 2026.5.7 should patch immediately; as an interim measure, lock Discord server membership to verified accounts and cross-reference agent command logs against Discord audit logs for display name changes.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

HIGH. The attack requires only an existing Discord account and the knowledge of a valid allowFrom entry — both trivially obtainable. The design flaw is fundamental: trusting a user-controlled mutable string for access control is not mitigable by configuration hardening alone without patching. Because OpenClaw is an AI agent framework, successful exploitation grants the adversary the full operational authority of the impersonated identity, including every tool and action the agent is authorized to perform. Blast radius is proportional to agent permissions, which in production deployments can include internal API access, data retrieval, and automated workflow execution.

How does the attack unfold?

Reconnaissance

Attacker inspects public repositories, documentation, or probes the agent directly to enumerate valid allowFrom display name entries that grant elevated access.

AML.T0084

Identity Spoofing

Attacker changes their Discord display name to match a discovered allowFrom policy entry, requiring no technical skill beyond a standard Discord account.

AML.T0073

Unauthorized Agent Access

Attacker sends commands via Discord; OpenClaw's allowFrom check matches the spoofed display name and grants full access rights of the impersonated authorized identity.

AML.T0012

Tool Invocation and Impact

Attacker invokes any tool the agent is authorized to use — data queries, internal API calls, workflow triggers — with audit logs attributing activity to the spoofed display name.

AML.T0053

Reconnaissance

Attacker inspects public repositories, documentation, or probes the agent directly to enumerate valid allowFrom display name entries that grant elevated access.

AML.T0084

Identity Spoofing

Attacker changes their Discord display name to match a discovered allowFrom policy entry, requiring no technical skill beyond a standard Discord account.

AML.T0073

Unauthorized Agent Access

Attacker sends commands via Discord; OpenClaw's allowFrom check matches the spoofed display name and grants full access rights of the impersonated authorized identity.

AML.T0012

Tool Invocation and Impact

Attacker invokes any tool the agent is authorized to use — data queries, internal API calls, workflow triggers — with audit logs attributing activity to the spoofed display name.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch immediately: upgrade OpenClaw to version 2026.5.7 or later, which validates Discord identity against immutable user IDs rather than display names.
Interim workaround: restrict the Discord server to verified, known accounts with mandatory 2FA to reduce the attacker pool; consider using Discord role IDs (immutable) for policy entries if the patched version supports it.
Audit allowFrom policies: review all policy entries and map them to specific Discord user IDs to confirm intended scope.
Detection: pull agent command logs and cross-reference with Discord audit logs for display name changes in the 30 days prior to patch deployment — look for commands from known display names that coincide with a name change event.
Scope assessment: enumerate all tools and data sources the agent can access and determine whether unauthorized access has already occurred, particularly for agents with write-capable or exfiltration-capable tool sets.

How is it classified?

Auth Bypass Social Engineering Agent AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0073 - Impersonation AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1 - Actions to address risks and opportunities

NIST AI RMF

MANAGE 2.2 - Risk responses include technical and governance options

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53849?

OpenClaw's allowFrom access control grants agent permissions based on Discord display names — a field any user can change at will — rather than immutable Discord user IDs. Any low-privileged Discord account holder can change their display name to match a policy entry and immediately assume the full access level of the impersonated identity, making this trivially exploitable with zero technical barrier. The CVSS 8.1 vector (network-accessible, low complexity, low privileges, no user interaction) accurately reflects the severity: there is no EPSS data yet and no KEV classification, but the absence of a technical barrier means exploitation is effectively guaranteed once awareness spreads. Teams running OpenClaw before 2026.5.7 should patch immediately; as an interim measure, lock Discord server membership to verified accounts and cross-reference agent command logs against Discord audit logs for display name changes.

Is CVE-2026-53849 actively exploited?

No confirmed active exploitation of CVE-2026-53849 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53849?

1. Patch immediately: upgrade OpenClaw to version 2026.5.7 or later, which validates Discord identity against immutable user IDs rather than display names. 2. Interim workaround: restrict the Discord server to verified, known accounts with mandatory 2FA to reduce the attacker pool; consider using Discord role IDs (immutable) for policy entries if the patched version supports it. 3. Audit allowFrom policies: review all policy entries and map them to specific Discord user IDs to confirm intended scope. 4. Detection: pull agent command logs and cross-reference with Discord audit logs for display name changes in the 30 days prior to patch deployment — look for commands from known display names that coincide with a name change event. 5. Scope assessment: enumerate all tools and data sources the agent can access and determine whether unauthorized access has already occurred, particularly for agents with write-capable or exfiltration-capable tool sets.

What systems are affected by CVE-2026-53849?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Discord-integrated AI agents, Agentic automation pipelines.

What is the CVSS score for CVE-2026-53849?

CVE-2026-53849 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksDiscord-integrated AI agentsAgentic automation pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0073 Impersonation

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

Exploitation Scenario

An attacker targets an organization running an OpenClaw-based AI agent integrated into their Discord workspace. The attacker joins the server (or is already a member with a basic account), then identifies a valid allowFrom entry by inspecting public GitHub repositories, agent documentation, or simply by probing the agent for 'access denied' vs. 'authorized' responses using different display names. The attacker renames their Discord account to 'SecurityBot-Admin' (or whichever entry they identified) and issues a data query command to the agent. The agent's allowFrom check matches the display name against the policy, finds a hit, and executes the command with full authorized-user authority. The attacker can now exfiltrate data, trigger internal API calls, or manipulate downstream workflows — all while the audit trail shows activity attributed to the impersonated display name, making forensic attribution difficult.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing Primary

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.