Primary

Context

OpenClaw Authorization Bypass Vulnerability in QQBot Approval Buttons

Vulnerability

Patched

An authorization bypass vulnerability has been identified in OpenClaw versions prior to 2026.5.18. The issue resides in the QQBot native approval buttons, which do not properly enforce the configured approver identity. As a result, non-approver users can click these buttons to approve pending execution or plugin requests without the necessary authorization.

Impact

Exploitation of this vulnerability allows non-approver users to resolve pending execution or plugin approval requests, potentially leading to unauthorized execution of actions that should require an approved identity.

Remediation

Users are advised to upgrade to OpenClaw version 2026.5.18 or later. Before upgrading, avoid sending native approval buttons in QQ conversations with users who are not authorized approvers.

Added: May 29, 2026, 4:28 PM

Updated: May 29, 2026, 4:28 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Authorization Bypass Vulnerability in QQBot Approval Buttons

Vulnerability

Impact

Remediation

Affected Products

OpenClaw

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating