Impact
OpenClaw before version 2026.5.6 contains an improper access control flaw in its Mattermost event handlers, where the system fails to validate channel type metadata. This omission allows an attacker to craft Mattermost events that omit or forge channel type information, thereby bypassing the intended direct‑message policy controls and triggering the processing of content that should be restricted. The outcome is an attacker gaining unauthorized access to confidential or otherwise protected data that was gated by the DM policy.
Affected Systems
The affected product is OpenClaw, specifically the OpenClaw application. Any installation running a version older than 2026.5.6 is vulnerable, as the issue was addressed in that release and later versions. No other vendors or products are listed as impacted.
Risk and Exploitability
The vulnerability has a CVSS score of 6.3, indicating a medium severity weakness. The EPSS score is not available, so the current probability of exploitation is unknown, and it is not listed in the CISA KEV catalog. The likely attack vector involves an attacker with the ability to send or inject Mattermost events targeting the affected system; by omitting the channel type field, the attacker can trick the event handler into processing restricted content. Successful exploitation would give the attacker unauthorized access to data that should otherwise be protected by the application’s policy controls.
OpenCVE Enrichment