CVE-2026-53860— BlueBubbles <2026.5.7 发送方策略绕过漏洞
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing Application新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-53860の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
OpenClaw < 2026.5.7 - Sender Policy Bypass via Mutable Conversation Identifiers in BlueBubbles
ソース: NVD (National Vulnerability Database)
脆弱性説明
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
在安全决策中依赖未经信任的输入
ソース: NVD (National Vulnerability Database)
影響を受ける製品
II. CVE-2026-53860の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-53860のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-53860 厂商安全公告 (2)
Same Patch Batch · OpenClaw · 2026-06-16 · 27 CVEs total
| CVE-2026-53843 | 8.8 HIGH | OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session |
| CVE-2026-53853 | 8.3 HIGH | OpenClaw < 2026.5.12 - Argument Pattern Bypass in Exec Allowlist via Linux and macOS |
| CVE-2026-53864 | 8.1 HIGH | OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control V |
| CVE-2026-53855 | 8.1 HIGH | OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks |
| CVE-2026-53849 | 8.1 HIGH | OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom |
| CVE-2026-53857 | 8.1 HIGH | OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy |
| CVE-2026-53866 | 8.1 HIGH | OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing |
| CVE-2026-53846 | 7.1 HIGH | OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath |
| CVE-2026-53865 | 7.1 HIGH | OpenClaw < 2026.5.2 - Arbitrary Command Execution via Workspace-Derived Service PATH |
| CVE-2026-53858 | 7.1 HIGH | OpenClaw < 2026.5.2 - Arbitrary Runtime Dependency Loading via STATE_DIRECTORY Environment |
| CVE-2026-53840 | 7.1 HIGH | OpenClaw < 2026.5.12 - Custom Header Leakage via MCP Streamable HTTP Cross-Origin Redirect |
| CVE-2026-53842 | 7.1 HIGH | OpenClaw < 2026.5.2 - Arbitrary Python Runtime Execution via CLOUDSDK_PYTHON Environment V |
| CVE-2026-53863 | 7.1 HIGH | OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy |
| CVE-2026-53861 | 6.6 MEDIUM | OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS |
| CVE-2026-53859 | 6.5 MEDIUM | OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency |
| CVE-2026-53854 | 6.5 MEDIUM | OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Int |
| CVE-2026-53844 | 6.5 MEDIUM | OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search |
| CVE-2026-53841 | 6.1 MEDIUM | OpenClaw < 2026.5.12 - Cross-Site Scripting via Unsafe Markdown Links in Exported Session |
| CVE-2026-53856 | 5.5 MEDIUM | OpenClaw 2026.4.23 < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw |
| CVE-2026-53850 | 5.5 MEDIUM | OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command |
Showing 20 of 27 CVEs. View all on vendor page →
IV. 関連脆弱性
同じ製品: OpenClaw
- CVE-2026-53866
OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Comm - CVE-2026-53865
OpenClaw < 2026.5.2 - Arbitrary Command Execution via Works - CVE-2026-53864
OpenClaw < 2026.5.26 - Insufficient Environment Variable San - CVE-2026-53862
OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pa - CVE-2026-53863
OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in To
同じベンダー: OpenClaw
- CVE-2026-53865
OpenClaw < 2026.5.2 - Arbitrary Command Execution via Works - CVE-2026-53866
OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Comm - CVE-2026-53864
OpenClaw < 2026.5.26 - Insufficient Environment Variable San - CVE-2026-53862
OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pa - CVE-2026-53863
OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in To
同じ弱点: CWE-807
V. CVE-2026-53860へのコメント
まだコメントはありません