CVE-2026-35630
Analyzed Analyzed - Analysis Complete
Authorization Bypass in OpenClaw QQBot Approval Buttons

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: VulnCheck

Description
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-35630
EUVD
EUVD-2026-33335
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35630 is an authorization bypass vulnerability in OpenClaw versions before 2026.5.18, specifically affecting the QQBot native approval buttons.

The flaw occurs because the system fails to enforce the configured approver identity, allowing non-approver users to click approval buttons and resolve pending execution or plugin approval requests without proper authorization.

This means that users who should not have approval rights can bypass security controls and approve actions that require authorized consent.

Impact Analysis

This vulnerability can lead to unauthorized execution of actions within OpenClaw's QQBot channel.

  • Non-approver users can resolve pending execution or plugin approval requests without proper authorization.
  • It compromises the confidentiality, integrity, and availability of the system by allowing unauthorized actions.

Such unauthorized approvals could result in unintended or malicious operations being executed, potentially causing security breaches or operational disruptions.

Mitigation Strategies

To mitigate the CVE-2026-35630 vulnerability, users should upgrade OpenClaw to version 2026.5.18 or later, which includes a patch that enforces proper approver identity verification for QQBot native approval buttons.

Additionally, avoid delivering native approval buttons in conversations with unauthorized users to reduce the risk of unauthorized approval actions.

Compliance Impact

The vulnerability in OpenClaw's QQBot native approval buttons allows unauthorized users to bypass configured approver identity checks and resolve pending execution or plugin approval requests without proper authorization.

This authorization bypass can lead to unauthorized actions that impact confidentiality, integrity, and availability of the system.

Such unauthorized access and actions could potentially violate compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and authorization enforcement to protect sensitive data and ensure accountability.

Therefore, until the vulnerability is patched (by upgrading to version 2026.5.18 or later), affected systems may be at risk of non-compliance due to insufficient authorization controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart