VYPR
← All advisories
High severity7.7NVD Advisory· Published Jun 12, 2026

CVE-2026-53833

CVE-2026-53833

Description

OpenClaw before 2026.4.29 contains an authorization bypass in the QQBot streaming command, allowing authenticated senders to modify configuration without explicit allowFrom restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.4.29 contains an authorization bypass in the QQBot streaming command, allowing authenticated senders to modify configuration without explicit allowFrom restrictions.

Vulnerability

OpenClaw before version 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command. The command does not require an explicit non-wildcard allowlist entry (allowFrom), allowing authenticated QQBot senders to mutate the streaming configuration. The vulnerability is present in all versions prior to the fix [1][2].

Exploitation

An attacker must be an authenticated sender to the QQBot endpoint and the affected streaming command must be reachable. No further authentication or special privileges beyond valid sender credentials are required. The attacker can simply issue the QQBot streaming command to modify configuration without being restricted by the expected allowFrom allowlist [1].

Impact

Successful exploitation allows the attacker to modify QQBot streaming configuration outside the intended administrator policy. The practical impact depends on the operator's configuration and whether lower-trust input can reach that path. This could lead to unauthorized changes in streaming behavior, potentially affecting message handling and security boundaries [1].

Mitigation

The first stable patched version is 2026.4.29 [1]. Users unable to upgrade should disable the affected command or restrict it to explicitly trusted QQBot senders as a workaround. General hardening includes keeping channel and tool allowlists narrow, avoiding shared Gateways between untrusted users, and disabling the feature when not needed [1][2].

References
  1. QQBot streaming command could mutate config without explicit allowFrom
  2. OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenClaw/Openclawinferred2 versions
    <2026.4.29+ 1 more
    • (no CPE)range: <2026.4.29
    • (no CPE)range: <2026.4.29

Patches

1
a448042c2edd

test(qa): extend restart boundary wait

https://github.com/OpenClaw/OpenClawPeter SteinbergerApr 30, 2026Fixed in 2026.4.29via release-tag
commit
1 file changed · +2 1
  • extensions/qa-lab/src/gateway-child.ts+2 1 modified
    @@ -44,6 +44,7 @@ import type { QaTransportAdapter } from "./qa-transport.js";
 export type { QaCliBackendAuthMode } from "./providers/env.js";
 const QA_GATEWAY_CHILD_STARTUP_MAX_ATTEMPTS = 5;
 const QA_GATEWAY_CHILD_RPC_RETRY_HEALTH_TIMEOUT_MS = 60_000;
+const QA_GATEWAY_CHILD_RESTART_BOUNDARY_TIMEOUT_MS = 90_000;
 const QA_GATEWAY_CHILD_BLOCKED_SECRET_ENV_VARS = Object.freeze([
   "OPENCLAW_QA_CONVEX_SECRET_CI",
   "OPENCLAW_QA_CONVEX_SECRET_MAINTAINER",
@@ -276,7 +277,7 @@ async function waitForQaGatewayRestartBoundary(params: {
   pollMs?: number;
   timeoutMs?: number;
 }) {
-  const timeoutMs = params.timeoutMs ?? 30_000;
+  const timeoutMs = params.timeoutMs ?? QA_GATEWAY_CHILD_RESTART_BOUNDARY_TIMEOUT_MS;
   const pollMs = params.pollMs ?? 100;
   const startedAt = Date.now();
   while (Date.now() - startedAt < timeoutMs) {

Vulnerability mechanics

Root cause

"The QQBot streaming command lacks explicit allowFrom restrictions, allowing authenticated senders to mutate configuration without authorization."

Attack vector

An authenticated sender can trigger the QQBot streaming command without satisfying the explicit allowFrom restrictions intended by the admin policy. Because the command does not enforce a non-wildcard allowlist entry requirement, an attacker who is already authenticated can mutate configuration outside the intended administrative boundaries. The attack is local (AV:L) and requires no additional privileges (PR:N) beyond authentication. [patch_id=5752425]

Affected code

The advisory does not identify specific affected functions or files; the patch provided (patch_id=5752425) changes only a timeout constant in `extensions/qa-lab/src/gateway-child.ts`, which is unrelated to authorization logic. The patch diff does not show any changes related to the QQBot streaming command or authorization checks.

What the fix does

The patch fixes a QA test timeout value by replacing a hard-coded 30 s default with a named constant (`QA_GATEWAY_CHILD_RESTART_BOUNDARY_TIMEOUT_MS` set to 90 s). It does **not** modify the QQBot streaming command or any authorization/allowlist logic. The advisory describes a server-side authorization bypass that is not remediated by this code change; the vendor would need to add explicit allowFrom enforcement on the affected command to close the vulnerability.

Preconditions

  • authAttacker must be an authenticated sender on the local system.
  • configThe QQBot streaming command must be reachable (no non-wildcard allowlist entry required).
  • networkNetwork access is local (AV:L).

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.