CVE-2026-35630: OpenClaw < 2026.5.18 - QQBot Missing Approver Identity Enforcement in Native Approval Buttons
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.
HarborGuard Analysis
HarborGuard analysisSynopsis
OpenClaw before 2026.5.18 has an authorization bypass in the QQBot native approval buttons. The component fails to check that the clicking user matches the configured approver identity, so any low-privilege user with access to the chat can click an approval button to resolve a pending exec or plugin approval request. Successful exploitation lets unauthorized users approve arbitrary commands or plugin actions, compromising confidentiality, integrity, and availability of whatever the approved request executes. A patched-image rebuild at 2026.5.18 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against OpenClaw images in customer registries and CI pipelines, including custom-built images that embed OpenClaw.
AvailableTriage is capability-driven: the CVSS v4.0 score of 7.5 (High) is combined with each customer's compliance policy weighting and routed to the appropriate inbox within that customer org, so chat-bot and automation workloads can be prioritized ahead of less exposed services.
AvailableA patched-image rebuild at OpenClaw 2026.5.18 becomes available on HarborGuard for affected environments. Customers who opt into auto-remediation get the rebuilt image, a regression-test run, and a PR opened against the workloads still pinned to a vulnerable version.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker reaches the QQBot interface over the network, typically through the chat platform OpenClaw is integrated with.
- AuthenticationRequired
A low-privilege account is sufficient: the attacker must be a user in the chat where approval buttons appear, but does not need approver privileges.
- Victim interactionRequired
A legitimate user or automation must first submit an exec or plugin request that surfaces the approval buttons the attacker then clicks.
- Attack complexityDetail
Exploitation is reliable once the conditions are met: clicking the button bypasses the identity check with no race or environmental dependencies, though the CVSS vector flags an attack requirement (AT:P).
Blast Radius
- Unauthorized users approve pending exec requests, causing OpenClaw to run arbitrary commands the attacker would not otherwise be permitted to run.
- Unauthorized users approve plugin actions, enabling tampering with plugin state and any systems those plugins reach.
- Approved exec or plugin actions can disrupt or take down the services OpenClaw orchestrates, depending on what the approved command does.
How HarborGuard Handles This
Available on HarborGuard: a rebuilt OpenClaw image at 2026.5.18 is published as soon as the fix is ingested, and environments with auto-remediation enabled receive a regression-tested rebuild plus a PR against any workload still on a vulnerable version. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. For environments that gate remediation on compliance review, the patched image is staged and ready to promote, and compensating controls such as restricting QQBot chat membership to trusted approvers and disabling native approval buttons until the upgrade lands are surfaced in the advisory view.
Metrics
- CVSS v4.0
- 7.5
- Severity
- HIGH
- Fixed in
- 2026.5.18
- Affected Products
- 1
Fix available
- OpenClaw / OpenClaw< 2026.5.18 (from 0)Fixed in 2026.5.18
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N