OpenClaw before version 2026.4.27 contains a flaw in QQBot’s pre‑dispatch slash command handling that allows authenticated senders to skip the allowFrom policy checks. The vulnerability lets a legitimate user invoke slash commands before the configured access control policies are applied, which can trigger command handling from senders that should normally be blocked. This split in execution control can lead to unauthorized command execution, data leakage, or unintended system behavior, with a CVSS score of 8.2 indicating a high severity. The weakness is classified as CWE‑863, indicating an authorization bypass. Affected users may therefore face significant integrity and availability risks if their commands are executed without proper authorization.

The affected product is OpenClaw, version 2026.4.27 and earlier. Administrators running any pre‑2026.4.27 release of OpenClaw that utilizes QQBot slash commands are vulnerable. No specific sub‑version range beyond “before 2026.4.27” is listed, so any deployment of that product series that has not been upgraded is at risk.

The vulnerability requires an authenticated sender but does not expose any external attack surface beyond normal QQBot usage; the attack vector is internal to the application. The EPSS score is not available, so the contemporary likelihood of exploitation remains unknown, but the CVSS rating of 8.2 highlights the potential impact should the flaw be leveraged. The vulnerability is not yet listed in the CISA KEV catalog, indicating that known exploits have not been publicly reported. However, the nature of the bypass makes the creation of an exploit straightforward for an attacker with legitimate credentials, and the absence of a mitigated version increases urgency.