CVE-2026-35630NVD

Vulnerability Summary

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

Severity Level

HIGH(8.0)

Published Date

May 29, 2026

Last Modified

Jun 1, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.04%Probability

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://github.com/openclaw/openclaw/security/advisories/GHSA-mgq6-vr84-7m2j
https://www.vulncheck.com/advisories/openclaw-qqbot-missing-approver-identity-enforcement-in-native-approval-buttons