Detections
Analytics

CVE-2026-53833

high

Description

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.

References

https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command

https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6

Details

Source: Mitre, NVD

Published: 2026-06-12

Updated: 2026-06-12

Risk Information

CVSS v2

Base Score: 6.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 7.7

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: High

CVSS v4

Base Score: 7.4

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00012