OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.
Metrics
Affected Vendors & Products
References
History
Tue, 16 Jun 2026 00:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openclaw
Openclaw openclaw |
|
| CPEs | cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* | |
| Vendors & Products |
Openclaw
Openclaw openclaw |
Mon, 15 Jun 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sat, 13 Jun 2026 12:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command | QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command |
| First Time appeared |
Qqbot
Qqbot qqbot |
|
| Vendors & Products |
Qqbot
Qqbot qqbot |
Fri, 12 Jun 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements. | |
| Title | OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command | |
| Weaknesses | CWE-290 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-12T21:56:57.866Z
Updated: 2026-06-15T18:17:47.370Z
Reserved: 2026-06-10T21:16:58.212Z
Link: CVE-2026-53833
Updated: 2026-06-15T18:17:42.850Z
Status : Analyzed
Published: 2026-06-12T22:16:54.947
Modified: 2026-06-16T00:34:44.637
Link: CVE-2026-53833
No data.