Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker must reach the bot's local command channel as an authenticated QQ sender (AV:L, PR:L); exploitation depends on a permissive allowFrom configuration (AC:H); availability is unaffected.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.29.
DescriptionCVE.org
OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.
AnalysisAI
Authorization bypass in OpenClaw versions prior to 2026.4.29 allows authenticated QQBot senders to modify streaming configuration without satisfying the intended allowFrom allowlist policy, when those entries lack non-wildcard restrictions. The flaw stems from missing identity verification on the QQBot streaming command path (CWE-290) and was reported by VulnCheck; no public exploit identified at time of analysis.
Technical ContextAI
OpenClaw integrates a QQBot streaming command handler that is expected to be gated by an allowFrom policy specifying which QQ identities may invoke configuration-mutating actions. The root cause is CWE-290 (Authentication Bypass by Spoofing): the streaming command dispatcher accepts senders whose identity matches only wildcard or absent allowlist entries, effectively skipping the explicit per-sender authorization check. The affected component is identified in NVD CPE data as cpe:2.3:a:qqbot:qqbot:*:*:*:*:*:*:*:* under the OpenClaw project, indicating the QQBot adapter module is the vulnerable surface rather than core OpenClaw routing logic.
RemediationAI
Upgrade OpenClaw to version 2026.4.29 or later, which enforces non-wildcard allowFrom checks on the QQBot streaming command (see GHSA-jvm4-4j77-39p6). Until the patch can be deployed, audit every QQBot allowFrom configuration and replace any wildcard (*) or absent entries with explicit QQ identifiers for authorized administrators, accepting the side effect that legitimate but unlisted senders will lose access to streaming commands. As an additional compensating control, restrict the QQBot adapter's network reachability so only the intended bot framework process can deliver commands to the OpenClaw endpoint, which prevents external command injection at the cost of breaking any out-of-band integrations.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36621
GHSA-r27j-fxmq-rg2q