{"cve":{"cve_id":"CVE-2026-53833","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00172,"epss_percentile":0.0676,"epss_as_of":"2026-06-23","description":"OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.","published_at":"2026-06-12T21:56:57.866000Z","last_modified_at":null,"cvss_v3_score":7.7,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","cvss_v3_severity":"HIGH","cvss_v4_score":7.4,"cvss_v4_vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","cvss_v4_severity":"HIGH","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-290"],"nvd_references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6","https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:30:53.124161Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"P","value_label":"Present"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"N","value_label":"None"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"openclaw","vendor_name":"openclaw","product_slug":"openclaw","product_name":"openclaw","version_start":"0","version_start_inclusive":true,"version_end":"2026.4.29","version_end_inclusive":false,"cpe23_uri":"cve5:openclaw:openclaw:0:2026.4.29"},{"vendor_slug":"openclaw","vendor_name":"openclaw","product_slug":"openclaw","product_name":"openclaw","version_start":"2026.4.29","version_start_inclusive":true,"version_end":"2026.4.29","version_end_inclusive":true,"cpe23_uri":"cve5:openclaw:openclaw:2026.4.29:2026.4.29"}],"exploit_refs":[],"news":[],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-qqbot-streaming-command","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2026-06-12T21:56:57.866000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:55:28.590503Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:28.590503Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:28.590503Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:28.590503Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:28.590503Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:28.590503Z","label":"CVSS score revised","source":"cvelistv5"}]}