HIGH 8.0

CVE-2026-35630: OpenClaw Authorization Bypass in QQBot Approval Buttons

OpenClaw versions before 2026.5.18 have an authorization bypass flaw in the QQBot approval workflow. Users who are not designated approvers can click approval buttons to authorize pending requests for code execution or plugin installations—permissions they should not have. An attacker with basic OpenClaw access could escalate their capabilities by approving requests they have no business approving, effectively bypassing the system's governance controls.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35630 is an authorization bypass vulnerability (CWE-862) affecting OpenClaw's QQBot native approval buttons. The vulnerability stems from insufficient enforcement of approver identity during the approval flow for exec and plugin requests. The system fails to validate that the user clicking the approval button is actually a configured approver before accepting the approval action. This allows any authenticated user to interact with the approval button and resolve pending requests, regardless of their assigned role. The CVSS 3.1 score of 8.0 (High) reflects the combination of network accessibility, low attack complexity, and the high impact across confidentiality, integrity, and availability resulting from unauthorized code execution or plugin installation.

Business impact

This vulnerability creates a significant operational and security risk. Unauthorized approval of exec requests could allow an attacker to execute arbitrary code in the OpenClaw environment; unauthorized approval of plugin requests could lead to installation of malicious or non-compliant plugins. In regulated environments, this represents both a technical breach and a governance failure—audit trails will show approvals from unauthorized individuals, and compliance frameworks often require proof of proper authorization chains. The blast radius depends on what actions pending requests represent; in mature deployments where approval workflows gate critical operations, this could mean complete system compromise by a low-privileged insider or compromised low-privilege account.

Affected systems

OpenClaw releases before version 2026.5.18 are affected. The vulnerability exists in the QQBot approval button functionality, meaning systems where QQBot is configured and users rely on native approval workflows are at highest risk. Environments where exec and plugin approval is a gated process (as opposed to being open or administrator-only) are most exposed.

Exploitability

The vulnerability requires a network-accessible OpenClaw instance and authentication (PR:L in the CVSS vector), so an attacker needs at least a basic user account. The attack is straightforward—the attacker simply interacts with the approval UI element when a pending request is visible—making it easily repeatable. No special tools or exploit code are needed; user interaction (UI:R) is required to click the button. This combination makes it high-risk in environments where users have broad access or where compromised accounts are common.

Remediation

Upgrade OpenClaw to version 2026.5.18 or later to receive the authorization check enforcement fix. Verify against the vendor advisory that the patch version you receive actually addresses CWE-862 authorization enforcement in the approval workflow. Review your current approval request backlog for any suspicious approvals, especially those by users not assigned as approvers. Consider implementing additional compensating controls: restrict who can view pending approval requests, use API-level approval verification, or implement immutable audit logging for all approvals until the patch is deployed.

Patch guidance

Plan an upgrade to OpenClaw 2026.5.18 as a high-priority security update. Coordinate timing with your ops team to minimize disruption, as the approval workflow is likely part of your operational governance. Test the patch in a non-production environment first to confirm it does not introduce regressions in the approval flow. Verify that after patching, only configured approvers can interact with approval buttons. Document your pre-patch state (notably any approvals by non-approvers) for audit and compliance purposes. If running a managed OpenClaw service, check with your vendor on automatic patching policies.

Detection guidance

Before patching: Enable detailed logging on OpenClaw approval events and correlate them with user roles. Flag any approval actions by users who do not appear in your approver list. Check audit logs for approval button clicks from unexpected user accounts, particularly if those users have no apparent business reason to approve requests. Monitor for patterns—a single non-approver account clicking many approvals is a strong signal. After patching: Verify that approval buttons now reject clicks from non-approvers (test this in a controlled manner) and that logs show authorization denials. Threat hunters should search historical logs for anomalous approval patterns over the past several months to identify if the vulnerability was exploited.

Why prioritize this

This vulnerability merits immediate attention. It combines a high CVSS score (8.0), straightforward exploitability by any authenticated user, and direct impact on security governance—approvals are a critical control point. The fix is available (upgrade to 2026.5.18), and the attack surface is narrow (it only affects QQBot approval buttons), making remediation tractable. In environments where OpenClaw governs code execution or infrastructure changes, this is a priority-one security issue.

Risk score, explained

The CVSS 3.1 score of 8.0 (High) is justified by the attack vector (Network), low complexity, requirement for low privileges, and high impact across all three security properties (C, I, A). An attacker can gain network access, needs only a user account, does not need to trick another user (the permission bypass is silent), and the result is potential unauthorized code execution or installation—all of which are high-impact in a system designed to gate such operations. The absence of KEV listing does not reduce this risk; it reflects that there is no known active exploitation in the wild at time of publication, but the straightforward nature of the attack makes it a predictable target.

Frequently asked questions

Can an attacker exploit this without a valid OpenClaw account?

No. The vulnerability requires authentication (the CVSS vector includes PR:L). An attacker must first obtain a valid user account—either through credential compromise or through an insider threat. However, once authenticated, no further privileges are required to trigger the vulnerability.

Will our approval logs show who actually approved a request if this vulnerability is exploited?

Yes. The approval action will be logged with the account that clicked the button. This means a non-approver's account will appear in the audit trail as the approver. This is both a detection opportunity and an audit/compliance liability—you will have proof of unauthorized approval, but that proof also indicates a governance failure until the vulnerability is patched.

Is there a workaround if we cannot patch immediately?

Full workaround options are limited, but compensating controls can reduce risk: restrict QQBot access to only designated approvers, disable the native approval buttons and require approvals via a separate process, or implement role-based access controls at the infrastructure level to prevent non-approvers from reaching the approval UI. However, these are mitigation, not remediation—upgrading to 2026.5.18 is the permanent fix.

Does this vulnerability allow privilege escalation to administrator?

Not directly. The vulnerability allows approval of pending requests. The impact depends on what those requests are—if they are for non-privileged operations, impact is lower. If they are for administrative operations (like code execution or infrastructure changes), then effective privilege escalation is possible. Review your approval request types to understand the ceiling of impact in your environment.

This analysis is based on publicly available CVE data as of June 2026. Patch version numbers and availability should be verified directly with OpenClaw vendor advisories and release notes. Organizations should test patches in non-production environments before production deployment. This advisory does not constitute legal or compliance advice; consult your internal compliance and legal teams regarding audit and reporting obligations. Exploit code is not provided; this analysis is for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).