SecuriTricks - CVE-2026-53837

Description

OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.

Product(s) Impacted

Vendor	Product	Versions
Openclaw	Openclaw	*
Mattermost	Mattermost	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-636

Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	openclaw	openclaw	/	/	/	/	/	/	/	/
a	mattermost	mattermost	/	/	/	/	/	/	/	/

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-gp79-m99v-gjmh

https://www.vulncheck.com/advisories/openclaw-missing-channel-type-validation-in-mattermost-event-handlers

CVSS Score

6.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Attack Requirements: PRESENT
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 12, 2026, 10:16 p.m.
Last Modified: June 12, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-53837