CVE-2026-34507
MEDIUM WAF: Low
CVSS 5.4
Published: 2026-05-29
CWE-863
OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.4.29 |
References
- github.com (Mitigation, Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)