CVE-2026-53833

CVE Database · CVE-2026-53833

CVE-2026-53833

· HIGHReceived

CVSS v3.1

7.7

CVSS v4.0

7.4

EPSS

0.16%

Published

Jun 12, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-290

References (2)

https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6

https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command

KEV Catalog EPSS Scores Vendors All CVEs