CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-hx4v-668p-g2qr: Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity

highCVSS 8
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mgq6-vr84-7m2j. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8
Published
2026-05-29
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-hx4v-668p-g2qr

More from GitHub Security Advisories