CVE-2026-35630 Overview
CVE-2026-35630 is an authorization bypass vulnerability in OpenClaw versions prior to 2026.5.18. The flaw exists in the QQBot native approval buttons, which fail to enforce the configured approver identity. Non-approver users can click approval buttons and resolve pending exec or plugin approval requests without proper authorization. The vulnerability is tracked under CWE-862: Missing Authorization and affects OpenClaw deployments running on Node.js.
Critical Impact
Any QQBot user can approve pending exec or plugin operations, bypassing the designated approver and enabling unauthorized command execution.
Affected Products
- OpenClaw versions before 2026.5.18
- OpenClaw deployments running on Node.js
- QQBot integrations using native approval buttons
Discovery Timeline
- 2026-05-29 - CVE-2026-35630 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-35630
Vulnerability Analysis
The vulnerability resides in OpenClaw's QQBot approval workflow. QQBot exposes native approval buttons that allow designated approvers to authorize sensitive operations, including exec commands and plugin actions requiring elevated review. The approval handler accepts button click events but does not validate whether the clicking user matches the configured approver identity. Any user who can interact with the approval message can therefore resolve the request.
This breaks the intended separation between request submitters and approvers. An attacker who submits a malicious exec or plugin request can either approve it themselves or rely on any other user with access to the chat to inadvertently approve it. The result is unauthorized execution of operations that should require explicit approver consent.
Root Cause
The root cause is missing authorization enforcement [CWE-862] in the button callback handler. The handler resolves pending approval state based solely on the button click event, without comparing the acting user's identity against the configured approver list. Authorization is assumed from the presence of the button rather than verified per request.
Attack Vector
Exploitation requires network access to the QQBot interface and the ability to interact with approval messages. An attacker with low privileges submits an exec or plugin request, then clicks the approval button rendered in the chat. Because the handler does not check the clicker's identity, the approval succeeds and the requested operation executes. Refer to the VulnCheck Advisory and the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-35630
Indicators of Compromise
- Approval events in QQBot logs where the approving user does not match the configured approver for the target operation.
- Execution of exec or plugin requests shortly after submission by the same user account that submitted them.
- Unexpected plugin enablement or command execution recorded in OpenClaw operational logs.
Detection Strategies
- Audit QQBot approval logs and correlate the requester identity with the approver identity for every resolved request.
- Compare the OpenClaw version in deployed environments against 2026.5.18 to identify vulnerable instances.
- Review exec and plugin invocation history for approvals completed without participation from the configured approver account.
Monitoring Recommendations
- Forward OpenClaw and QQBot logs to a centralized log platform and alert on approval-resolution events lacking an authorized approver match.
- Monitor outbound process execution originating from the OpenClaw Node.js process for anomalous commands.
- Track plugin install or enable events and alert on activity outside scheduled change windows.
How to Mitigate CVE-2026-35630
Immediate Actions Required
- Upgrade OpenClaw to version 2026.5.18 or later on all Node.js deployments.
- Inventory all QQBot integrations and confirm which instances expose native approval buttons.
- Review historical approval events for unauthorized resolutions and roll back any unintended plugin or exec changes.
Patch Information
The vendor released a fix in OpenClaw 2026.5.18. The patch enforces the configured approver identity in the QQBot button callback handler. See the GitHub Security Advisory GHSA-mgq6-vr84-7m2j for the official remediation guidance.
Workarounds
- Disable QQBot native approval buttons until the upgrade is complete and require approvals through an authenticated channel.
- Restrict access to QQBot groups or channels so that only trusted users can interact with approval messages.
- Temporarily disable exec and plugin features that depend on the approval workflow until patched.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.5.18
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
