Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.29.
DescriptionCVE.org
OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked.
AnalysisAI
Policy bypass in OpenClaw's QQBot admin command handling allows authenticated low-privilege network users to circumvent DM-only and allowFrom authorization checks, routing restricted admin commands from unauthorized senders or contexts. Affected versions are all OpenClaw releases prior to 2026.4.29. The CVSS 4.0 score of 2.3 reflects limited confidentiality and integrity impact with no availability impact, and no public exploit has been identified at time of analysis.
Technical ContextAI
OpenClaw's QQBot integration exposes admin commands that are intended to be policy-gated through two mechanisms: a DM-only restriction (commands must originate from direct messages) and an allowFrom list (commands only accepted from specific authorized senders). The root cause is CWE-863 (Incorrect Authorization) - the enforcement logic for these two policy controls can be bypassed, allowing command routing from contexts or senders the policy explicitly prohibits. The CVSS 4.0 vector's AT:P (Attack Requirements: Present) confirms that specific preconditions must be met, consistent with the need to be an authenticated participant in the bot environment. No CPE strings were provided; affected product scope is derived solely from the vendor description.
RemediationAI
The primary fix is to upgrade OpenClaw to version 2026.4.29 or later, which resolves the policy bypass in QQBot admin command handling. Full details are available in the vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-w4v6-g3wm-w36c and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-policy-bypass-in-qqbot-admin-commands-via-dm-only-and-allowfrom-checks. If immediate patching is not feasible, consider disabling QQBot admin command functionality entirely until the patch can be applied - this eliminates the attack surface at the cost of losing bot admin capabilities. Alternatively, restrict which authenticated accounts have permission to issue QQBot admin commands at the application access control layer, and audit existing allowFrom configurations to minimize the pool of users who could attempt this bypass.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33334
GHSA-vhpw-p338-rhp9