CVE-2026-43574 Overview
CVE-2026-43574 is an improper authorization vulnerability in OpenClaw versions before 2026.4.12. The flaw exists in helper-backed approval channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Attackers who know a pending approval ID can resolve approvals without proper authorization by exploiting this logic flaw.
The vulnerability is tracked under CWE-183: Permissive List of Allowed Inputs and affects the openclaw Node.js package. It enables attackers with low privileges to bypass approval workflows over the network.
Critical Impact
Attackers with knowledge of an approval ID can resolve pending approvals without authorization, breaking the integrity of approval workflows in OpenClaw deployments.
Affected Products
- OpenClaw versions prior to 2026.4.12
- OpenClaw Node.js package (openclaw:openclaw)
- Deployments using helper-backed approval channels
Discovery Timeline
- 2026-05-05 - CVE-2026-43574 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43574
Vulnerability Analysis
The vulnerability resides in OpenClaw's approval authorization logic within helper-backed channels. When the system resolved the list of approvers for a pending approval, an empty list was treated as a valid explicit approval authorization rather than a denial or no-op condition. This logic inversion allowed any caller who could supply a valid approval ID to advance the approval state.
The weakness maps to CWE-183, reflecting overly permissive allow-list handling. Exploitation requires network access and low privileges, but no user interaction. The integrity impact is high because attackers can approve actions intended to require multi-party consent.
Root Cause
The root cause is conflation of two distinct conditions: a successful explicit approval and an empty approver list. In the vulnerable code path inside src/infra/channel-approval-auth.ts, an empty resolved approver array yielded an authorization result indistinguishable from an explicit grant.
The patch introduces a non-enumerable symbol marker, IMPLICIT_SAME_CHAT_APPROVAL_AUTHORIZATION, attached via Object.defineProperty to authorization results. A new helper, isImplicitSameChatApprovalAuthorization, allows downstream consumers to distinguish implicit same-chat authorizations from explicit approver-driven grants.
Attack Vector
An attacker with valid low-privileged access to the OpenClaw service and knowledge of a pending approval ID can submit a resolution request. If the helper-backed channel returns an empty approver list, the vulnerable logic treats this as explicit approval and finalizes the action. No multi-party consent or interactive confirmation is required.
// Patch excerpt from src/plugin-sdk/approval-auth-helpers.ts
type ApprovalAuthorizationResult = {
authorized: boolean;
reason?: string;
};
const IMPLICIT_SAME_CHAT_APPROVAL_AUTHORIZATION = Symbol(
"openclaw.implicitSameChatApprovalAuthorization",
);
function markImplicitSameChatApprovalAuthorization(
result: ApprovalAuthorizationResult,
): ApprovalAuthorizationResult {
// Keep this non-enumerable to avoid changing auth payload shape.
// Consumers must pass the same object reference to
// `isImplicitSameChatApprovalAuthorization`; spread/Object.assign/JSON clones
// drop this marker.
Object.defineProperty(result, IMPLICIT_SAME_CHAT_APPROVAL_AUTHORIZATION, {
value: true,
enumerable: false,
});
return result;
}
export function isImplicitSameChatApprovalAuthorization(
result: ApprovalAuthorizationResult | null | undefined,
): boolean {
return Boolean(result);
}
Source: GitHub Commit 0a105c0
Detection Methods for CVE-2026-43574
Indicators of Compromise
- Approval state transitions completed without corresponding approver identities recorded in audit logs.
- Pending approval IDs resolved by callers who are not on configured approver lists.
- Approval resolution events occurring with empty approvers fields in helper-backed channel telemetry.
Detection Strategies
- Audit OpenClaw approval logs for resolutions where the resolved approver list is empty or null.
- Compare approval requestor identity against expected approver groups for each resolved action.
- Alert on rapid sequences of approval resolutions originating from a single low-privileged account.
Monitoring Recommendations
- Enable verbose logging for the channel-approval-auth module and forward events to a centralized SIEM.
- Track invocation counts of resolveChannelApprovalCapability and correlate with downstream privileged actions.
- Monitor outbound execution events triggered by approval resolutions and flag any with missing approver attribution.
How to Mitigate CVE-2026-43574
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.12 or later as published in the GitHub Security Advisory GHSA-49cg-279w-m73x.
- Inventory all OpenClaw deployments and confirm package version via npm ls openclaw.
- Review historical approval logs for evidence of unauthorized resolutions prior to patching.
Patch Information
The fix is delivered in commit 0a105c0. It introduces the isImplicitSameChatApprovalAuthorization helper and marks implicit authorizations with a non-enumerable symbol so that empty approver lists no longer satisfy explicit approval checks. See the VulnCheck Advisory for additional technical context.
Workarounds
- Restrict network access to OpenClaw approval endpoints using firewall or service mesh policies until the patch is applied.
- Rotate or invalidate pending approval IDs that may have been exposed before remediation.
- Reduce the privilege scope of accounts that interact with helper-backed approval channels.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.12
# Verify the installed version
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
