VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 12, 2026

CVE-2026-53834

CVE-2026-53834

Description

OpenClaw before 2026.4.27 lets QQBot senders bypass allowFrom policy checks by dispatching slash commands before access control is applied, potentially allowing blocked users to trigger commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.4.27 lets QQBot senders bypass allowFrom policy checks by dispatching slash commands before access control is applied, potentially allowing blocked users to trigger commands.

Vulnerability

OpenClaw versions prior to 2026.4.27 contain an authorization bypass vulnerability in the QQBot pre-dispatch slash command handling. When the affected feature is enabled, authenticated senders can invoke slash commands before the configured allowFrom policy checks are applied. This allows commands to be dispatched without verifying whether the sender is permitted by the access control list. The official advisory notes that the issue is scoped to this specific feature and configuration, and does not affect other parts of the OpenClaw trusted-operator model [1][2].

Exploitation

An attacker who is authenticated as a QQBot sender and can invoke slash commands simply sends a slash command to the bot. Due to the pre-dispatch order, the command is processed before the allowFrom policy is consulted, thereby skipping the intended access control. No additional privileges or user interaction beyond authenticated access to QQBot is required. The vulnerability can be exploited over the network with low attack complexity and no privileges beyond the initial authenticated session [1][2].

Impact

Successful exploitation allows the attacker to trigger command handling from a sender that the configured policy should have blocked. The practical impact depends on the operator's configuration and whether lower-trust input can reach that command path. According to the advisory, the confidentiality impact is none, but the integrity impact is high, meaning the attacker could execute unauthorized commands. There is no availability impact [1][2].

Mitigation

OpenClaw patched this vulnerability in version 2026.4.27. Operators should update to this version or later. If an immediate update is not possible, mitigations include restricting QQBot slash command exposure, keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when it is not needed [1][2].

References
  1. QQBot pre-dispatch slash commands could skip allowFrom checks
  2. OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
cbc2ba093146

chore(release): prepare 2026.4.27 stable

https://github.com/OpenClaw/OpenClawPeter SteinbergerApr 29, 2026Fixed in 2026.4.27via release-tag
commit
2 files changed · +2 2
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "openclaw",
-  "version": "2026.4.27-beta.1",
+  "version": "2026.4.27",
   "description": "Multi-channel AI gateway with extensible messaging integrations",
   "keywords": [],
   "homepage": "https://github.com/openclaw/openclaw#readme",
  • src/config/schema.base.generated.ts+1 1 modified
    @@ -28868,6 +28868,6 @@ export const GENERATED_BASE_CONFIG_SCHEMA: BaseConfigSchemaResponse = {
       tags: ["advanced", "url-secret"],
     },
   },
-  version: "2026.4.27-beta.1",
+  version: "2026.4.27",
   generatedAt: "2026-03-22T21:17:33.302Z",
 };

Vulnerability mechanics

Root cause

"QQBot pre-dispatch slash commands are evaluated before allowFrom policy checks, allowing blocked senders to invoke commands."

Attack vector

An authenticated sender sends a slash command to the QQBot integration. The pre-dispatch handler processes the command before the configured `allowFrom` access control policy is evaluated, causing commands from blocked senders to be accepted and handled. The attack is network-based, requires no special privileges beyond being an authenticated sender, and requires no user interaction. [patch_id=5752424]

Affected code

The patch only bumps the version string from `2026.4.27-beta.1` to `2026.4.27` in `package.json` and `src/config/schema.base.generated.ts`. No functional code is changed, so the fix for the authorization bypass is not visible in this diff. The advisory describes the flaw in QQBot pre-dispatch slash commands that skip `allowFrom` policy checks.

What the fix does

The patch does not contain any functional change — it only updates the version tag from `2026.4.27-beta.1` to `2026.4.27`. The advisory notes that the vulnerability was addressed in the stable release, but the underlying fix logic is not included in this diff. Operators should verify they are running the `2026.4.27` stable release or later to ensure the pre-dispatch ordering issue is corrected. [patch_id=5752424]

Preconditions

  • authAttacker must be an authenticated sender to the QQBot channel
  • configThe operator must have configured `allowFrom` policies that would normally block the sender

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.