CVE-2026-53833
7.7 HIGHOpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders...
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 7.7 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-290
Description
OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53832 — OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy id... (7.7 HIGH)
- CVE-2026-53823 — OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names (8.1 HIGH)
- CVE-2026-5792 — Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc (6.5 MEDIUM)
- CVE-2026-53817 — OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to... (8.8 HIGH)
- CVE-2026-53811 — OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts... (8.8 HIGH)