Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via messaging platform but requires authenticated sender identity (PR:L) and a specific allowFrom-policy deployment (AC:H); integrity-only impact via unauthorized command invocation.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration.
AnalysisAI
Authorization bypass in OpenClaw's QQBot component before version 2026.4.27 allows authenticated senders to invoke slash commands before allowFrom policy checks execute, effectively skipping operator-configured access controls. The flaw stems from pre-dispatch command handling that runs prior to policy enforcement, enabling blocked senders to trigger command handlers depending on deployment configuration. No public exploit identified at time of analysis, and CVSS 4.0 scoring of 8.2 reflects high integrity impact with an attack requirement (AT:P) suggesting non-trivial conditions.
Technical ContextAI
OpenClaw is the affected application (CPE cpe:2.3:a:openclaw:openclaw) and ships a QQBot module that dispatches slash commands received from messaging senders. The root cause is CWE-863 (Incorrect Authorization): authorization decisions defined by the allowFrom policy are evaluated after - rather than before - initial command handler entry, so the pre-dispatch code path executes logic that should have been gated. This is a classic ordering bug in policy enforcement, where the authorization check exists but is not reached in time, distinct from missing authorization (CWE-862).
RemediationAI
Upgrade OpenClaw to version 2026.4.27 or later, which contains the fix per the GitHub Security Advisory GHSA-77pv-3w4q-vrj5 (https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5). If immediate upgrade is not possible, operators relying on QQBot's allowFrom policy should disable the QQBot module entirely until patched, since the bypass occurs before policy evaluation and cannot be reliably blocked by tightening the allowFrom list itself; the trade-off is loss of all QQBot functionality. Alternatively, restrict the messaging-platform tenant or channel so that only trusted senders can reach the bot at the transport layer (out-of-band ACL), accepting that this duplicates policy in two places. Cross-reference the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-qqbot-pre-dispatch-slash-commands for additional detection guidance.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36622
GHSA-35c7-4r45-9gv3