CVE-2026-62217
Received Received - Intake

Authorization Bypass in OpenClaw QQBot Exec Approvals

Vulnerability report for CVE-2026-62217, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

OpenClaw 2026.5.14-beta.1 before 2026.5.27 contain an authorization flaw in the QQBot exec approvals feature. When the feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization, allowing non-allowlisted senders to perform unauthorized operations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.5.14-beta.1 (inc) to 2026.5.27 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authorization flaw in OpenClaw 2026.5.14-beta.1 before 2026.5.27 affecting the QQBot exec approvals feature. It allows lower-trust callers or input paths to execute or persist actions beyond their intended authorization scope, enabling non-allowlisted senders to perform unauthorized operations when the feature is enabled and reachable.

Detection Guidance

Check if OpenClaw versions between 2026.5.14-beta.1 and 2026.5.27 are installed. Inspect QQBot exec approvals feature configuration for unauthorized access paths. Review logs for suspicious exec approvals activity or unauthorized operations.

Impact Analysis

The impact depends on configuration and whether lower-trust input can reach the affected path. It may allow unauthorized operations, potentially leading to data breaches, system compromise, or service disruption. The high CVSS scores (8.8 v3.1, 7.7 v4.0) indicate significant confidentiality, integrity, and availability risks.

Compliance Impact

This vulnerability could potentially violate compliance with standards like GDPR and HIPAA by allowing unauthorized execution of actions, leading to unauthorized data access, modification, or disclosure. The high impact on confidentiality, integrity, and availability (CVSS 8.8) suggests it may result in unauthorized processing of personal data (GDPR) or protected health information (HIPAA).

Mitigation Strategies

Upgrade OpenClaw to version 2026.5.27 or later. Disable the QQBot exec approvals feature if not required. Restrict feature access to trusted operators only. Apply allowlist policies to limit input paths and execution surfaces.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62217. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart