CVE-2026-53833: OpenClaw auth bypass

CISO Take

OpenClaw, an AI agent framework, contains an authorization bypass (CWE-290) in its QQBot streaming command that lets any authenticated sender modify the agent's configuration without appearing in the required allowFrom allowlist — effectively circumventing admin-defined access policy. The impact is rated CVSS 7.7 with high confidentiality and integrity loss, meaning a rogue or compromised sender can both expose configuration data and silently alter agent behavior across any workflow depending on the modified streaming settings. There are no public exploits and no CISA KEV listing, but low attack complexity means exploitation requires no specialized skill beyond sender-level access. Upgrade to OpenClaw 2026.4.29 or later; until then, audit all QQBot streaming allowFrom configurations and replace any wildcard entries with explicit non-wildcard allowlists.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High risk for organizations actively using OpenClaw in production AI agent pipelines. CVSS 7.7 with low attack complexity and no user interaction required reflects a genuinely dangerous configuration exposure. The local attack vector and authenticated sender prerequisite limit opportunistic exploitation, but any insider, compromised bot account, or lateral-movement pivot with sender access can directly mutate agent configuration — a critical threat in environments where agent behavioral integrity is security-critical. In compliance-sensitive deployments, unauthorized configuration changes to an AI agent constitute a reportable control failure under ISO 42001 and EU AI Act Article 9 regardless of CVSS score.

How does the attack unfold?

Authenticated Access

Attacker obtains sender-level credentials for the OpenClaw/QQBot environment via insider access, credential theft, or a compromised bot account with messaging permissions.

AML.T0012

Authorization Bypass

Attacker sends commands to the QQBot streaming endpoint; CWE-290 allows the commands to execute without the sender appearing in the required allowFrom allowlist, bypassing admin-defined access policy.

AML.T0107

Configuration Mutation

Attacker modifies QQBot streaming configuration — altering output routing, relaxing input filters, disabling rate limiting, or expanding operational permissions — with changes persisting across agent restarts.

AML.T0081

Impact

Altered configuration enables downstream attacks: redirected outputs expose sensitive streaming data, relaxed filters permit prompt injection into downstream consumers, or expanded permissions facilitate further lateral movement within the AI agent pipeline.

AML.T0048

Authenticated Access

Attacker obtains sender-level credentials for the OpenClaw/QQBot environment via insider access, credential theft, or a compromised bot account with messaging permissions.

AML.T0012

Authorization Bypass

Attacker sends commands to the QQBot streaming endpoint; CWE-290 allows the commands to execute without the sender appearing in the required allowFrom allowlist, bypassing admin-defined access policy.

AML.T0107

Configuration Mutation

Attacker modifies QQBot streaming configuration — altering output routing, relaxing input filters, disabling rate limiting, or expanding operational permissions — with changes persisting across agent restarts.

AML.T0081

Impact

Altered configuration enables downstream attacks: redirected outputs expose sensitive streaming data, relaxed filters permit prompt injection into downstream consumers, or expanded permissions facilitate further lateral movement within the AI agent pipeline.

AML.T0048

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →
QQBot	—	—	No patch

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade OpenClaw to version 2026.4.29 or later — this is the vendor-confirmed remediated release per GHSA-jvm4-4j77-39p6.
Immediately audit all QQBot streaming command allowFrom configurations across all deployments; replace any wildcard (*) entries with explicit, non-wildcard allowlists scoped to minimum required senders.
Enable configuration change logging on QQBot streaming endpoints and alert on any unexpected modification events.
Review all accounts with sender access to QQBot streaming and revoke any with broader-than-necessary permissions; apply least-privilege.
Consult the VulnCheck advisory at the linked reference for additional detection indicators.
If patching is delayed, consider temporarily disabling the QQBot streaming command in non-critical environments.

How is it classified?

Auth Bypass Data Leakage Agent Framework AML.T0012 - Valid Accounts AML.T0081 - Modify AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.2 - Access control for AI systems

NIST AI RMF

GOVERN 1.3 - Organizational roles and responsibilities for AI risk

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53833?

OpenClaw, an AI agent framework, contains an authorization bypass (CWE-290) in its QQBot streaming command that lets any authenticated sender modify the agent's configuration without appearing in the required allowFrom allowlist — effectively circumventing admin-defined access policy. The impact is rated CVSS 7.7 with high confidentiality and integrity loss, meaning a rogue or compromised sender can both expose configuration data and silently alter agent behavior across any workflow depending on the modified streaming settings. There are no public exploits and no CISA KEV listing, but low attack complexity means exploitation requires no specialized skill beyond sender-level access. Upgrade to OpenClaw 2026.4.29 or later; until then, audit all QQBot streaming allowFrom configurations and replace any wildcard entries with explicit non-wildcard allowlists.

Is CVE-2026-53833 actively exploited?

No confirmed active exploitation of CVE-2026-53833 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53833?

1. Upgrade OpenClaw to version 2026.4.29 or later — this is the vendor-confirmed remediated release per GHSA-jvm4-4j77-39p6. 2. Immediately audit all QQBot streaming command allowFrom configurations across all deployments; replace any wildcard (*) entries with explicit, non-wildcard allowlists scoped to minimum required senders. 3. Enable configuration change logging on QQBot streaming endpoints and alert on any unexpected modification events. 4. Review all accounts with sender access to QQBot streaming and revoke any with broader-than-necessary permissions; apply least-privilege. 5. Consult the VulnCheck advisory at the linked reference for additional detection indicators. 6. If patching is delayed, consider temporarily disabling the QQBot streaming command in non-critical environments.

What systems are affected by CVE-2026-53833?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, AI chatbot deployments.

What is the CVSS score for CVE-2026-53833?

CVE-2026-53833 has a CVSS v3.1 base score of 7.7 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationAI chatbot deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0081 Modify AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2

NIST AI RMF: GOVERN 1.3

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.

Exploitation Scenario

An attacker with authenticated sender access — via a compromised bot account, malicious insider, or lateral movement from a system with sender credentials — targets the QQBot streaming command endpoint. Without appearing in the allowFrom allowlist, the attacker sends a crafted streaming configuration command that the authorization check fails to block due to CWE-290. The attacker modifies the streaming configuration to redirect QQBot outputs to an adversary-controlled destination, relax input filtering to enable downstream prompt injection, or disable rate limiting to facilitate cost-harvesting or denial of service against downstream consumers. The configuration change persists across agent restarts, and in a multi-agent OpenClaw deployment propagates to all agents consuming the modified streaming configuration, while the attacker retains the ability to revert visible settings to avoid immediate detection.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.