OpenClaw: policy bypass enables unauthorized admin command execution — MEDIUM (CVE-2026-34507)

CISO Take

OpenClaw before version 2026.4.29 contains an authorization bypass (CWE-863) in its QQBot admin command handler, allowing any authenticated user to skip DM-only and allowFrom policy checks and execute privileged operations from unauthorized senders or channels. For teams running OpenClaw-based AI agent deployments, this means a low-privileged attacker can circumvent the access control layer protecting admin functionality with no user interaction required and low attack complexity. No public exploit or KEV listing exists at this time and EPSS data is unavailable, but the network-accessible low-privilege entry bar makes opportunistic abuse realistic in multi-tenant or shared bot environments. Patch to OpenClaw 2026.4.29 or later immediately; in the interim, restrict QQBot admin command exposure and audit all allowFrom policy configurations.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk (CVSS 5.4). CWE-863 incorrect authorization is straightforward to exploit given low privilege requirements and no user interaction. The network attack vector means any authenticated user can attempt the bypass without physical or local access. Impact is constrained to confidentiality and integrity (C:L/I:L) with no availability impact, but in AI agent contexts unauthorized admin command execution can cascade into broader automation abuse or configuration tampering. Absence of public exploits and KEV listing keeps this below critical threshold.

Attack Kill Chain

Initial Access

Attacker authenticates to the OpenClaw deployment with low-privilege credentials, gaining access to the QQBot command interface.

AML.T0012

Policy Bypass

Attacker sends admin commands from an unauthorized sender identity or non-DM channel, exploiting the missing authorization check to circumvent DM-only and allowFrom policies.

AML.T0107

Unauthorized Admin Execution

Restricted admin commands execute successfully despite the sender failing policy validation, granting the attacker admin-level control over agent behavior.

AML.T0053

Impact

Attacker triggers restricted automation flows, modifies agent configurations, or accesses privileged data — outcomes the policy enforcement was designed to prevent.

AML.T0049

Initial Access

Attacker authenticates to the OpenClaw deployment with low-privilege credentials, gaining access to the QQBot command interface.

AML.T0012

Policy Bypass

Attacker sends admin commands from an unauthorized sender identity or non-DM channel, exploiting the missing authorization check to circumvent DM-only and allowFrom policies.

AML.T0107

Unauthorized Admin Execution

Restricted admin commands execute successfully despite the sender failing policy validation, granting the attacker admin-level control over agent behavior.

AML.T0053

Impact

Attacker triggers restricted automation flows, modifies agent configurations, or accesses privileged data — outcomes the policy enforcement was designed to prevent.

AML.T0049

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 87% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Upgrade OpenClaw to version 2026.4.29 or later — this is the definitive fix.
If immediate patching is not possible, disable or restrict QQBot admin command endpoints to the strictest possible sender allowlist.
Audit all existing allowFrom and DM-only policy configurations; assume any authenticated user may have bypassed these controls historically.
Review audit logs for anomalous admin command invocations from unexpected senders or channels.
Consider network segmentation for QQBot admin interfaces in sensitive deployments.

Classification

Auth Bypass Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system design and development — security requirements

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34507?

OpenClaw before version 2026.4.29 contains an authorization bypass (CWE-863) in its QQBot admin command handler, allowing any authenticated user to skip DM-only and allowFrom policy checks and execute privileged operations from unauthorized senders or channels. For teams running OpenClaw-based AI agent deployments, this means a low-privileged attacker can circumvent the access control layer protecting admin functionality with no user interaction required and low attack complexity. No public exploit or KEV listing exists at this time and EPSS data is unavailable, but the network-accessible low-privilege entry bar makes opportunistic abuse realistic in multi-tenant or shared bot environments. Patch to OpenClaw 2026.4.29 or later immediately; in the interim, restrict QQBot admin command exposure and audit all allowFrom policy configurations.

Is CVE-2026-34507 actively exploited?

No confirmed active exploitation of CVE-2026-34507 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34507?

1. Upgrade OpenClaw to version 2026.4.29 or later — this is the definitive fix. 2. If immediate patching is not possible, disable or restrict QQBot admin command endpoints to the strictest possible sender allowlist. 3. Audit all existing allowFrom and DM-only policy configurations; assume any authenticated user may have bypassed these controls historically. 4. Review audit logs for anomalous admin command invocations from unexpected senders or channels. 5. Consider network segmentation for QQBot admin interfaces in sensitive deployments.

What systems are affected by CVE-2026-34507?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent orchestration, chatbot automation pipelines.

What is the CVSS score for CVE-2026-34507?

CVE-2026-34507 has a CVSS v3.1 base score of 5.4 (MEDIUM).

AI Security Impact

Affected AI Architectures

agent frameworksAI agent orchestrationchatbot automation pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08

Technical Details

Original Advisory

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked.

Exploitation Scenario

An attacker with a standard authenticated account on an OpenClaw deployment crafts admin commands routed through non-DM channels or from senders not listed in the allowFrom policy. Rather than the commands being rejected by policy, the authorization check is skipped and the admin operation executes. In an AI agent context this could mean triggering restricted automation flows, reconfiguring agent behaviors, or accessing admin-only data — all from a low-privilege foothold with no elevated credentials required and no victim interaction needed.