Skip to main content

OpenClaw CVE-2026-35630

| EUVDEUVD-2026-33335 HIGH
Missing Authorization (CWE-862)
2026-05-29 disclosure@vulncheck.com GHSA-hx4v-668p-g2qr GHSA-mgq6-vr84-7m2j
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
May 29, 2026 - 17:02 EUVD
Analysis Generated
May 29, 2026 - 16:52 vuln.today

DescriptionCVE.org

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

AnalysisAI

Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.

Technical ContextAI

OpenClaw integrates with QQBot to surface interactive approval buttons in chat for high-privilege actions such as executing commands ('exec') or invoking plugins. The system is supposed to honor an allowlist of configured approver identities, but the button-handler code path omits the check that ties the clicking user's QQ identity to the approver allowlist, so any participant who can see the button can resolve the request. This is a textbook CWE-862 Missing Authorization defect: the authentication of the actor is fine, but the authorization decision that should map actor-to-permission is absent at the trust boundary where the approval state machine transitions from 'pending' to 'approved'.

RemediationAI

Vendor-released patch: upgrade OpenClaw to 2026.5.18 or later, which adds enforcement of the configured approver identity on the button-handler path, per GHSA-mgq6-vr84-7m2j (https://github.com/openclaw/openclaw/security/advisories/GHSA-mgq6-vr84-7m2j) and the VulnCheck advisory (https://www.vulncheck.com/advisories/openclaw-qqbot-missing-approver-identity-enforcement-in-native-approval-buttons). If patching is not immediately possible, disable the QQBot native approval-button feature and fall back to a command-based approval flow that can be wrapped with an identity check, or restrict QQBot membership to only the approver account so no untrusted user can click the button - the trade-off is loss of multi-user visibility into pending requests and reduced UX convenience for legitimate approvers. As a further compensating control, audit recent exec and plugin approval events for resolutions attributed to non-approver identities while the upgrade is rolled out.

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-35630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy