CVE-2026-53834: OpenClaw auth bypass

CISO Take

OpenClaw before version 2026.4.27 contains an authorization bypass (CWE-863) in its QQBot slash command handling that allows senders explicitly blocked by the allowFrom access control policy to invoke commands by exploiting the pre-dispatch execution order—access control checks run too late to prevent execution. With a network-accessible attack vector, no elevated privileges required beyond a standard QQ account, and low attack complexity, any actor the operator intended to restrict can bypass configured policies with minimal effort. While there is no confirmed active exploitation, no public exploit code, and downstream adoption is limited to four known dependents, the integrity impact is significant in agent deployments: unauthorized command execution in an AI agent framework can trigger unintended workflows, data exposure, or chained automation depending on registered capabilities—and OpenClaw's real-world track record of malicious skill delivery (AIID #1368) makes authorization gaps in this ecosystem particularly high-risk. Operators should upgrade to 2026.4.27 immediately; as a short-term workaround, disable slash command handling or restrict bot access to trusted QQ group environments pending patching.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium-high operational risk for teams running OpenClaw QQBot deployments that rely on allowFrom policies for access segmentation. The CVSS 7.5 score reflects low exploitation complexity—network-reachable, no special permissions, no user interaction needed. The integrity-only impact (C:N/I:H/A:N) bounds the immediate damage surface, but in agentic contexts where slash commands chain to APIs, databases, or automation pipelines, the effective blast radius expands beyond the bot. Risk is further elevated by OpenClaw's pattern of 174 cumulative CVEs and a confirmed real-world credential theft incident (AIID #1368) involving its skills ecosystem, signaling systemic security debt in the package. Absence from CISA KEV and no public PoC reduce near-term exploitation probability, but the trivially low attack complexity offsets those mitigating factors.

How does the attack unfold?

Initial Access

Attacker—a QQ account holder blocked by the target bot's allowFrom policy—identifies the OpenClaw QQBot instance and enumerates available slash commands by observing group chat interactions or reading public bot documentation.

AML.T0049

Pre-dispatch Bypass

Attacker sends a slash command message to the bot; OpenClaw routes it through the pre-dispatch handler before the allowFrom check executes, processing the command regardless of the sender's blocked status.

AML.T0107

Unauthorized Tool Invocation

The slash command executes within the OpenClaw agent context with full bot permissions, invoking whatever capabilities the command exposes—data queries, automation triggers, external API calls, or registered skill execution.

AML.T0053

Impact

Attacker achieves unauthorized actions within the agent's operational scope, ranging from sensitive data retrieval to triggering downstream workflows or—in environments with malicious skills installed—credential exfiltration as documented in AIID #1368.

Initial Access

Attacker—a QQ account holder blocked by the target bot's allowFrom policy—identifies the OpenClaw QQBot instance and enumerates available slash commands by observing group chat interactions or reading public bot documentation.

AML.T0049

Pre-dispatch Bypass

Attacker sends a slash command message to the bot; OpenClaw routes it through the pre-dispatch handler before the allowFrom check executes, processing the command regardless of the sender's blocked status.

AML.T0107

Unauthorized Tool Invocation

The slash command executes within the OpenClaw agent context with full bot permissions, invoking whatever capabilities the command exposes—data queries, automation triggers, external API calls, or registered skill execution.

AML.T0053

Impact

Attacker achieves unauthorized actions within the agent's operational scope, ranging from sensitive data retrieval to triggering downstream workflows or—in environments with malicious skills installed—credential exfiltration as documented in AIID #1368.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I High

A None

What should I do?

6 steps

Upgrade OpenClaw to version 2026.4.27 or later as the primary remediation.
If immediate patching is not feasible, disable slash command handling entirely or restrict the QQBot instance to closed, trusted QQ groups as a temporary control.
Audit allowFrom policy configurations and review bot command execution logs for invocations from accounts that should be blocked—treat any unexpected entries as potential exploitation attempts.
Enumerate all slash commands registered with the bot and assess their downstream impact to prioritize urgency of patching.
Apply network-level controls to limit QQBot endpoint exposure during the patch window.
If OpenClaw skills are enabled, cross-reference installed skills against known-good sources given AIID #1368's documented malicious skill distribution.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1 - AI system design and planning — access control

NIST AI RMF

MANAGE 2.2 - Risk treatments including controls and safeguards are applied and maintained

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53834?

OpenClaw before version 2026.4.27 contains an authorization bypass (CWE-863) in its QQBot slash command handling that allows senders explicitly blocked by the allowFrom access control policy to invoke commands by exploiting the pre-dispatch execution order—access control checks run too late to prevent execution. With a network-accessible attack vector, no elevated privileges required beyond a standard QQ account, and low attack complexity, any actor the operator intended to restrict can bypass configured policies with minimal effort. While there is no confirmed active exploitation, no public exploit code, and downstream adoption is limited to four known dependents, the integrity impact is significant in agent deployments: unauthorized command execution in an AI agent framework can trigger unintended workflows, data exposure, or chained automation depending on registered capabilities—and OpenClaw's real-world track record of malicious skill delivery (AIID #1368) makes authorization gaps in this ecosystem particularly high-risk. Operators should upgrade to 2026.4.27 immediately; as a short-term workaround, disable slash command handling or restrict bot access to trusted QQ group environments pending patching.

Is CVE-2026-53834 actively exploited?

No confirmed active exploitation of CVE-2026-53834 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53834?

1. Upgrade OpenClaw to version 2026.4.27 or later as the primary remediation. 2. If immediate patching is not feasible, disable slash command handling entirely or restrict the QQBot instance to closed, trusted QQ groups as a temporary control. 3. Audit allowFrom policy configurations and review bot command execution logs for invocations from accounts that should be blocked—treat any unexpected entries as potential exploitation attempts. 4. Enumerate all slash commands registered with the bot and assess their downstream impact to prioritize urgency of patching. 5. Apply network-level controls to limit QQBot endpoint exposure during the patch window. 6. If OpenClaw skills are enabled, cross-reference installed skills against known-good sources given AIID #1368's documented malicious skill distribution.

What systems are affected by CVE-2026-53834?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Chatbot deployments, Messaging platform integrations, Bot-integrated automation workflows.

What is the CVSS score for CVE-2026-53834?

CVE-2026-53834 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksChatbot deploymentsMessaging platform integrationsBot-integrated automation workflows

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration.

Exploitation Scenario

An adversary who has been added to a QQBot instance's blocked-sender list—a disgruntled former employee, an external threat actor with a QQ account, or a malicious bot—sends a slash command targeting the OpenClaw-powered bot. Because OpenClaw processes the slash command in the pre-dispatch phase before evaluating the allowFrom policy, the bot executes the command as if the sender were authorized. Depending on configured commands, the attacker can query internal data, trigger automation workflows, or invoke OpenClaw skills—including potentially malicious third-party skills sourced from ClawHub. In a worst-case scenario combining this bypass with a pre-installed malicious skill (mirroring AIID #1368), the attacker achieves credential exfiltration or persistent access to the environment hosting the bot.

Weaknesses (CWE)

CWE-863 Incorrect Authorization

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.