Qqbot
Monthly
Authorization bypass in OpenClaw versions prior to 2026.4.29 allows authenticated QQBot senders to modify streaming configuration without satisfying the intended allowFrom allowlist policy, when those entries lack non-wildcard restrictions. The flaw stems from missing identity verification on the QQBot streaming command path (CWE-290) and was reported by VulnCheck; no public exploit identified at time of analysis.
Authorization bypass in OpenClaw versions prior to 2026.4.29 allows authenticated QQBot senders to modify streaming configuration without satisfying the intended allowFrom allowlist policy, when those entries lack non-wildcard restrictions. The flaw stems from missing identity verification on the QQBot streaming command path (CWE-290) and was reported by VulnCheck; no public exploit identified at time of analysis.