OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command

7.4 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.

Basic Information

ID CVE-2026-53833

Source VulnCheck

Published Jun 12, 2026 at 21:56

Affected Product

Vendor QQBot

Product QQBot

Affected Versions QQBot QQBot 0

CWE Classification

CWE-290

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.",
    "published": "2026-06-12T21:56:57.866Z",
    "modified": "2026-06-12T21:56:57.866Z",
    "type": "cve",
    "title": "OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6\nhttps://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command",
    "id": "CVE-2026-53833",
    "bulletinFamily": "",
    "cwe": [
        "CWE-290"
    ],
    "cvelist": null,
    "sourceData": "QQBot QQBot 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "QQBot",
    "version": "0",
    "vendor": "QQBot",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command_CVE-2026-53833