Authorization Bypass Vulnerability in OpenClaw QQBot by OpenClaw
CVE-2026-53834

8.2HIGH

Key Information:

Vendor

Openclaw

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-53834?

The OpenClaw product prior to the 2026.4.27 release contains a significant authorization bypass vulnerability affecting its QQBot feature. This flaw allows authenticated users to bypass the configured allowFrom policy checks when invoking slash commands. Consequently, this may enable attackers to execute commands without proper oversight, circumventing existing access control measures if the operator's configuration inadvertently permits such actions. Addressing this vulnerability is crucial to safeguarding against unauthorized command execution and ensuring the integrity of operational policies.

Affected Version(s)

OpenClaw 0 < 2026.4.27

OpenClaw 2026.4.27

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

zsx (@zsxsoft)
KeenSecurityLab
qclawer
.