How is CVE-2026-53849 exploited?

Network reachability (required): The attacker must reach the OpenClaw service over the network to submit the manipulated Discord display name and trigger the flawed identity check. Authentication (required): The attacker must hold a valid low-privilege Discord account; anonymous access is not sufficient, but no elevated or administrative privileges are needed. Victim interaction (not-required): No action by a victim or administrator is needed; the attacker triggers exploitation entirely through their own requests. Attack complexity (info): Exploitation is reliable and condition-free once the attacker controls a Discord account; no race conditions, memory layout dependencies, or other environmental factors are involved.

What is the impact of CVE-2026-53849?

The attacker reads data and resources accessible to the impersonated Discord identity, which may include sensitive agent configurations, credentials, or policy definitions. The attacker modifies agent state or policy entries scoped to the impersonated identity, potentially altering access controls or operational behavior within OpenClaw. Availability of the OpenClaw service itself is not impacted according to the CVSS vector; the attacker gains access without causing service disruption. The impact is contained to the vulnerable OpenClaw instance; no scope change to systems outside the affected component is indicated by the CVSS vector.

Back to search

HIGHCVE-2026-53849Published 2026-06-16Modified 2026-06-17CNA VulnCheck

CVE-2026-53849: OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom

Q: What is CVE-2026-53849?

This is a privilege escalation vulnerability in OpenClaw, an agent-access management tool, affecting all versions before 2026.5.7. The flaw is reachable over the network and requires only a low-privilege Discord account: an attacker sets their Discord display name to match a name listed in an allowFrom policy entry, which OpenClaw then incorrectly treats as proof of identity, because it checks mutable display names instead of stable, immutable user IDs. Successful exploitation grants the attacker unauthorized agent access scoped to whatever permissions the impersonated identity holds. A patched-image rebuild at version 2026.5.7 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53849 fixed?

A patched-image rebuild at OpenClaw 2026.5.7 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 2026.5.7
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in OpenClaw, an agent-access management tool, affecting all versions before 2026.5.7. The flaw is reachable over the network and requires only a low-privilege Discord account: an attacker sets their Discord display name to match a name listed in an allowFrom policy entry, which OpenClaw then incorrectly treats as proof of identity, because it checks mutable display names instead of stable, immutable user IDs. Successful exploitation grants the attacker unauthorized agent access scoped to whatever permissions the impersonated identity holds. A patched-image rebuild at version 2026.5.7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53849 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle OpenClaw. Coverage applies regardless of whether the image originates from a public base or an internally maintained layer.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and can weight that score against each environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within the customer organization based on configured policy rules.

Available

Patch

A patched-image rebuild at OpenClaw 2026.5.7 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OpenClaw service over the network to submit the manipulated Discord display name and trigger the flawed identity check.
AuthenticationRequired
The attacker must hold a valid low-privilege Discord account; anonymous access is not sufficient, but no elevated or administrative privileges are needed.
Victim interactionNot required
No action by a victim or administrator is needed; the attacker triggers exploitation entirely through their own requests.
Attack complexityDetail
Exploitation is reliable and condition-free once the attacker controls a Discord account; no race conditions, memory layout dependencies, or other environmental factors are involved.

Blast Radius

The attacker reads data and resources accessible to the impersonated Discord identity, which may include sensitive agent configurations, credentials, or policy definitions.
The attacker modifies agent state or policy entries scoped to the impersonated identity, potentially altering access controls or operational behavior within OpenClaw.
Availability of the OpenClaw service itself is not impacted according to the CVSS vector; the attacker gains access without causing service disruption.
The impact is contained to the vulnerable OpenClaw instance; no scope change to systems outside the affected component is indicated by the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-53849 activates automatically on image ingestion, with no manual configuration required. Where auto-remediation is enabled, HarborGuard rebuilds the affected image at OpenClaw 2026.5.7, runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage patching manually, HarborGuard surfaces the finding with the fix version clearly identified so engineering teams can prioritize the upgrade. Because the flaw allows low-privilege Discord accounts to impersonate higher-privileged identities through a simple display-name change, teams that cannot patch immediately should consider restricting network access to OpenClaw's agent endpoint and auditing existing allowFrom entries for any display-name-based entries that could be targeted.

See how HarborGuard automates this

Fix available

2026.5.7

Affected packages

OpenClaw / OpenClaw
< 2026.5.7 (from 0)
Fixed in 2026.5.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available