Main Vulnerability Database SB2026052921

SB2026052921 - Improper access control in OpenClaw

Published: May 29, 2026

Security Bulletin ID SB2026052921

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass configured sender restrictions for command handling.

The vulnerability exists due to improper access control in QQBot pre-dispatch slash command handling when processing slash command invocations. A remote user can send a slash command from a sender that should have been blocked by the allowFrom policy to bypass configured sender restrictions for command handling.

Only deployments with the affected feature enabled and reachable are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5