OpenClaw disclosed several high-severity vulnerabilities affecting multiple releases, including authorization bypass in QQBot pre-dispatch slash commands, privilege escalation in the trusted-proxy Control UI WebSocket, and node authority expansion through pairing reconnection logic. The QQBot issue, tracked as CVE-2026-53834 and mirrored in GitHub advisory GHSA-77pv-3w4q-vrj5, affects versions up to 2026.4.26 and allows senders to trigger slash-command handling before allowFrom policy checks are enforced. The vendor said the flaw is limited to the QQBot feature and its configuration, with the first stable fix released in 2026.4.27.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
12 events from the most recent confirmed update back to the earliest known activity.
A high-severity vulnerability, CVE-2026-53857, was published for OpenClaw versions earlier than 2026.5.3. The flaw allows authentication bypass because allowFrom authorization compares a mutable DisplayName instead of an immutable UserID, enabling sender spoofing and potentially exposing internal APIs, sensitive data, and execution-capable tooling to unauthorized use.
A new vulnerability, CVE-2026-53850, was published for OpenClaw describing missing authorization checks in the focus command's control-scope enforcement. The flaw allows an authenticated low-privilege user to switch focus to unauthorized sessions or workspaces, and the reference says version 2026.4.25 adds explicit validation to fix the issue.
A new vulnerability, CVE-2026-53852, was published for OpenClaw describing a scope containment bypass in the device re-pairing routine. An authenticated operator can submit an empty or falsy scope parameter and retain broader previously active permissions instead of having the session restricted.
A medium-severity vulnerability, CVE-2026-53854, was published for OpenClaw versions prior to 2026.4.25. The flaw allows low-privilege users on internal or webchat interfaces to inherit wildcard-based owner permissions retained from another channel, potentially enabling owner-level command execution and access to session data.
A high-severity vulnerability, CVE-2026-53843, was published for OpenClaw versions before 2026.5.26. The flaw allows a surviving pairing-scoped device session to re-establish node token authority after revocation, potentially restoring WebSocket node-level access without renewed approval.
A high-severity vulnerability, CVE-2026-53849, was published for OpenClaw versions before 2026.5.7. The flaw lets unauthorized Discord users impersonate authorized identities by changing mutable display names used by allowFrom checks, potentially gaining agent access intended for another account.
A new high-severity vulnerability, CVE-2026-53866, was published for OpenClaw versions prior to 2026.5.12. The flaw is an allowlist bypass in shell inline-command parsing that can let authenticated operators execute unapproved commands because one parser path skips the expected allowlist decision and approval prompt.
A new vulnerability, CVE-2026-53838, was disclosed for OpenClaw versions before 2026.5.27. The flaw can mutate node pairing state during reconnection and potentially restore broader node authority than intended.
The CVE-2026-53834 entry states the vulnerability was received by disclosure@vulncheck.com on June 12, 2026. It affects OpenClaw versions before 2026.4.27 and describes an authorization bypass in QQBot pre-dispatch slash commands.
The CVE-2026-53821 entry states the vulnerability was received by disclosure@vulncheck.com on June 12, 2026. The flaw affects OpenClaw versions before 2026.5.18 and allows trusted-proxy Control UI WebSocket scope elevation.
A GitHub security advisory disclosed that OpenClaw versions earlier than 2026.5.20 allowed hook-triggered automated runs to select a bundled CLI backend that incorrectly received owner-scoped MCP loopback authority. The advisory states the first stable patched version is 2026.5.20.
A GitHub security advisory disclosed that OpenClaw versions up to and including 2026.4.26 were affected by a QQBot pre-dispatch slash command flaw that could bypass allowFrom checks. The advisory stated the first stable patched release was version 2026.4.27.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
13 references tracked. Mallory keeps watching after this page renders.
cvereports.com
Open sourcecvereports.com
Open sourcecvereports.com
Open sourcecvereports.com
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.