Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.
AnalysisAI
Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.
Technical ContextAI
OpenClaw integrates with QQBot to surface interactive approval buttons in chat for high-privilege actions such as executing commands ('exec') or invoking plugins. The system is supposed to honor an allowlist of configured approver identities, but the button-handler code path omits the check that ties the clicking user's QQ identity to the approver allowlist, so any participant who can see the button can resolve the request. This is a textbook CWE-862 Missing Authorization defect: the authentication of the actor is fine, but the authorization decision that should map actor-to-permission is absent at the trust boundary where the approval state machine transitions from 'pending' to 'approved'.
RemediationAI
Vendor-released patch: upgrade OpenClaw to 2026.5.18 or later, which adds enforcement of the configured approver identity on the button-handler path, per GHSA-mgq6-vr84-7m2j (https://github.com/openclaw/openclaw/security/advisories/GHSA-mgq6-vr84-7m2j) and the VulnCheck advisory (https://www.vulncheck.com/advisories/openclaw-qqbot-missing-approver-identity-enforcement-in-native-approval-buttons). If patching is not immediately possible, disable the QQBot native approval-button feature and fall back to a command-based approval flow that can be wrapped with an identity check, or restrict QQBot membership to only the approver account so no untrusted user can click the button - the trade-off is loss of multi-user visibility into pending requests and reduced UX convenience for legitimate approvers. As a further compensating control, audit recent exec and plugin approval events for resolutions attributed to non-approver identities while the upgrade is rolled out.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33335
GHSA-hx4v-668p-g2qr