What happened
CVE-2026-53860 (CVSS 4.2 MEDIUM) published 2026-06-16. OpenClaw before 2026.5.7 contains a sender policy bypass in its BlueBubbles integration where participants can match allowlist entries through conversation metadata manipulation rather than stable sender identity verification.
Why it matters
Continues the pattern of mutable-identity policy bypasses across OpenClaw's messaging integrations. Narrow blast radius (BlueBubbles is a niche Apple Messages bridge) and lower CVSS, but same underlying design flaw as the Discord and Zalo variants.
Attack vector
Attackers influence conversation-level identifiers in BlueBubbles to match allowlist entries, causing OpenClaw to route agent responses to unintended recipients.
Affected systems
OpenClaw < 2026.5.7 (BlueBubbles integration)
Mitigation
Upgrade OpenClaw to version 2026.5.7 or later. Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-8j37-5w68-wj2g