{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-53833: QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-53833","status":"final","version":"1","initial_release_date":"2026-06-12T21:56:57.866Z","current_release_date":"2026-06-15T18:17:47.370Z","revision_history":[{"date":"2026-06-12T21:56:57.866Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-53833 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-53833"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-53833"},{"category":"external","summary":"GitHub Security Advisory (GHSA-jvm4-4j77-39p6)","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6"},{"category":"external","summary":"VulnCheck Advisory: OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command","url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command"}]},"product_tree":{"branches":[{"category":"vendor","name":"OpenClaw","branches":[{"category":"product_name","name":"OpenClaw","branches":[{"category":"product_version_range","name":"<2026.4.29","product":{"name":"OpenClaw OpenClaw <2026.4.29","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"2026.4.29","product":{"name":"OpenClaw OpenClaw 2026.4.29","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-53833","title":"QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command","notes":[{"category":"description","text":"OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","baseScore":7.4,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 2026.4.29.","product_ids":["CSAFPID-1"]}]}]}