CVE-2026-53833 | OpenClaw before 2026.4.29 contains an authorization bypass v… | CVSS 7.7 HIGH

Description

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.

Metadata

CVE ID: CVE-2026-53833
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 21:16 UTC
Published: 2026-06-12 21:56 UTC
Last updated: 2026-06-13 12:00 UTC
Primary CWE: CWE-290
Authentication Bypass by Spoofing
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.4.29, 2026.4.29

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	Authentication Bypass by Spoofing

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-jvm4-4j77-39p6) https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6
VulnCheck Advisory: OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command