{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-53834: OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-53834","status":"final","version":"1","initial_release_date":"2026-06-12T21:56:58.552Z","current_release_date":"2026-06-15T19:26:36.577Z","revision_history":[{"date":"2026-06-12T21:56:58.552Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-53834 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-53834"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-53834"},{"category":"external","summary":"GitHub Security Advisory (GHSA-77pv-3w4q-vrj5)","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5"},{"category":"external","summary":"VulnCheck Advisory: OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands","url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-qqbot-pre-dispatch-slash-commands"}]},"product_tree":{"branches":[{"category":"vendor","name":"OpenClaw","branches":[{"category":"product_name","name":"OpenClaw","branches":[{"category":"product_version_range","name":"<2026.4.27","product":{"name":"OpenClaw OpenClaw <2026.4.27","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"2026.4.27","product":{"name":"OpenClaw OpenClaw 2026.4.27","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-53834","title":"OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands","notes":[{"category":"description","text":"OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","baseScore":8.2,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 2026.4.27.","product_ids":["CSAFPID-1"]}]}]}