Description
OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before version 2026.5.6 contains an improper access control flaw in its Mattermost event handlers, where the system fails to validate channel type metadata. This omission allows an attacker to craft Mattermost events that omit or forge channel type information, thereby bypassing the intended direct‑message policy controls and triggering the processing of content that should be restricted. The outcome is an attacker gaining unauthorized access to confidential or otherwise protected data that was gated by the DM policy.

Affected Systems

The affected product is OpenClaw, specifically the OpenClaw application. Any installation running a version older than 2026.5.6 is vulnerable, as the issue was addressed in that release and later versions. No other vendors or products are listed as impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 6.3, indicating a medium severity weakness. The EPSS score is not available, so the current probability of exploitation is unknown, and it is not listed in the CISA KEV catalog. The likely attack vector involves an attacker with the ability to send or inject Mattermost events targeting the affected system; by omitting the channel type field, the attacker can trick the event handler into processing restricted content. Successful exploitation would give the attacker unauthorized access to data that should otherwise be protected by the application’s policy controls.

Generated by OpenCVE AI on June 13, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by updating OpenClaw to version 2026.5.6 or later.
  • Ensure that only authenticated and authorized Mattermost event sources are sent to the OpenClaw event endpoints, rejecting events from unknown origins.
  • Monitor event handling logs for unexpected events lacking channel type metadata and investigate any anomalies to detect potential abuse.

Generated by OpenCVE AI on June 13, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.
Title OpenClaw < 2026.5.6 - Missing Channel Type Validation in Mattermost Event Handlers
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-636
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T15:10:01.881Z

Reserved: 2026-06-10T21:19:32.651Z

Link: CVE-2026-53837

cve-icon Vulnrichment

Updated: 2026-06-15T15:09:57.975Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T22:16:55.567

Modified: 2026-06-16T00:21:33.940

Link: CVE-2026-53837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T00:30:09Z

Weaknesses
  • CWE-636

    Not Failing Securely ('Failing Open')