CVE-2026-34507 LOW

CVE-2026-34507: OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

Vendor Openclaw

Product OpenClaw

Weakness CWE-863 · Incorrect authorization

Published May 29, 2026

Last update May 29, 2026

View on NVD All CVEs

CVSS base score

2.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked.

Key dates

02Disclosure timeline

May 29, 2026 CVE published

May 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34507

Related vulnerabilities

04Related CVE

CVE-2022-41918 Issue with fine-grained access control of indices backing data streams CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization CVE-2026-42843 grav-plugin-api: Grav API Privilege Escalation to Super Admin CVE-2026-26289 Subnet Solutions PowerSYSTEM Center Incorrect Authorization