CVE-2026-53833

OpenClaw before 2026.4.29 contains an authorization bypass in the QQBot streaming command that lets authenticated senders mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside the intended admin policy by accessing the affected co...

CVE-2026-32005

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...