{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-53807: OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-53807","status":"final","version":"1","initial_release_date":"2026-06-11T20:05:48.548Z","current_release_date":"2026-06-13T03:55:33.863Z","revision_history":[{"date":"2026-06-11T20:05:48.548Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-53807 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-53807"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-53807"},{"category":"external","summary":"GitHub Security Advisory (GHSA-w5ww-7chg-mxcq)","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq"},{"category":"external","summary":"vulncheck.com","url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-telegram-interactive-callbacks-via-commands-allowfrom"}]},"product_tree":{"branches":[{"category":"vendor","name":"OpenClaw","branches":[{"category":"product_name","name":"OpenClaw","branches":[{"category":"product_version_range","name":"<2026.5.6","product":{"name":"OpenClaw OpenClaw <2026.5.6","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"2026.5.6","product":{"name":"OpenClaw OpenClaw 2026.5.6","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-53807","title":"OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom","notes":[{"category":"description","text":"OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":7.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 2026.5.6.","product_ids":["CSAFPID-1"],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq"}]}]}