CVE-2026-53833: OpenClaw QQBot Incorrect Authorization on /bot-streaming Command
Any QQBot sender could invoke the /bot-streaming admin command and change OpenClaw streaming configuration, even without being on an explicit trusted-sender allowlist.
The problem
OpenClaw's QQBot channel exposes a set of admin slash commands, including /bot-streaming, that are supposed to be restricted to senders explicitly named in the allowFrom config (non-wildcard entries only).
Before version 2026.4.29, the /bot-streaming command skipped that check. Any QQBot sender who could reach the command, including those matched only by a wildcard allowFrom: ["*"], could invoke it and mutate the streaming configuration without operator approval.
Proof of concept
A working proof-of-concept for this issue in openclaw, with the exact payload below.
/bot-streamingThe other QQBot admin commands (/bot-upgrade, /bot-logs, /bot-approve, etc.) already required an explicit non-wildcard allowFrom entry before this CVE. The /bot-streaming handler was missing that same guard, a classic case of CWE-863 (Incorrect Authorization) where one code path in a set of related commands does not inherit the access control logic applied to its siblings.
The patch in 2026.4.29 aligned /bot-streaming with the rest of the admin command registry: the sender's openid must appear in a named allowFrom entry. A wildcard ["*"] still permits normal chat but no longer grants access to any admin command, including /bot-streaming.
The fix
Upgrade to openclaw 2026.4.29 or later. As a short-term mitigation on older versions, disable the QQBot streaming feature or ensure no QQBot sender can reach the gateway without an explicit non-wildcard openid entry in allowFrom. Remove wildcard allowFrom entries from QQBot config if untrusted senders might reach the channel.
Reported by Anshuman Bhartiya (@anshumanbh).
Related research
- high · 8.8CVE-2026-53821: openclaw Trusted-Proxy WebSocket Scope Elevation
- highCVE-2026-53832: openclaw Trusted-Proxy Identity Header Forgery via Same-Host Loopback
- high · 8CVE-2026-53817CVE-2026-53817: openclaw Control UI Locality Spoofing to Admin Token Mint
- high · 8CVE-2026-53829: openclaw Exec Approval Display Truncation