Can you explain this vulnerability to me?

CVE-2026-35630 is an authorization bypass vulnerability in OpenClaw versions before 2026.5.18, specifically affecting the QQBot native approval buttons.

The flaw occurs because the system fails to enforce the configured approver identity, allowing non-approver users to click approval buttons and resolve pending execution or plugin approval requests without proper authorization.

This means that users who should not have approval rights can bypass security controls and approve actions that require authorized consent.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized execution of actions within OpenClaw's QQBot channel.

• Non-approver users can resolve pending execution or plugin approval requests without proper authorization.
• It compromises the confidentiality, integrity, and availability of the system by allowing unauthorized actions.

Such unauthorized approvals could result in unintended or malicious operations being executed, potentially causing security breaches or operational disruptions.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-35630 vulnerability, users should upgrade OpenClaw to version 2026.5.18 or later, which includes a patch that enforces proper approver identity verification for QQBot native approval buttons.

Additionally, avoid delivering native approval buttons in conversations with unauthorized users to reduce the risk of unauthorized approval actions.

Useful 0 Not Useful 0