OpenClaw: auth bypass enables unauthorized agent approval — HIGH (CVE-2026-35630)

CISO Take

OpenClaw's QQBot integration fails to verify that the user clicking an approval button is actually a configured approver, meaning any low-privilege user in the chat environment can approve pending execution or plugin requests that were explicitly gated behind human authorization controls. This matters because AI agent approval workflows are the primary human-in-the-loop safety mechanism preventing unauthorized code execution and plugin invocations — bypassing them collapses the entire oversight layer in a single click. The CVSS 8.0 vector (AV:N/AC:L/PR:L/UI:R) confirms this is network-reachable, requires no technical sophistication, and is exploitable by anyone with a valid QQBot account in the affected deployment. Upgrade immediately to OpenClaw 2026.5.18 or later; as a temporary workaround, restrict access to the QQBot interface to authorized approvers only and audit recent approval logs for anomalous approvers.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH risk for organizations deploying OpenClaw as an AI agent orchestration platform. The authorization bypass directly undermines human oversight controls — the primary safety net for AI agent actions. With low attack complexity and only low privileges required, the barrier to exploitation is minimal for any internal user or compromised account with QQBot access. The CIA impact is H/H/H: confidential data may be exfiltrated via approved plugin calls, system integrity is compromised through unauthorized command execution, and availability can be affected by malicious plugin invocations. Risk is elevated in enterprise deployments where QQBot serves large user populations, many of whom would not normally have approver rights.

Attack Kill Chain

Initial Access

Adversary authenticates to the QQBot environment with any low-privilege account (employee, contractor, or compromised user credential).

AML.T0012

Opportunity Discovery

Adversary observes a pending exec or plugin approval request visible in the QQBot chat channel, identifying an action they wish to authorize without legitimate approver rights.

AML.T0049

Authorization Bypass

Adversary clicks the native approval button on the pending request; OpenClaw fails to validate that the clicker is a configured approver and accepts the approval.

AML.T0049

Unauthorized Execution

The AI agent executes the approved exec command or plugin invocation with full agent privileges, achieving confidentiality, integrity, or availability impact depending on the approved action.

AML.T0053

Initial Access

Adversary authenticates to the QQBot environment with any low-privilege account (employee, contractor, or compromised user credential).

AML.T0012

Opportunity Discovery

Adversary observes a pending exec or plugin approval request visible in the QQBot chat channel, identifying an action they wish to authorize without legitimate approver rights.

AML.T0049

Authorization Bypass

Adversary clicks the native approval button on the pending request; OpenClaw fails to validate that the clicker is a configured approver and accepts the approval.

AML.T0049

Unauthorized Execution

The AI agent executes the approved exec command or plugin invocation with full agent privileges, achieving confidentiality, integrity, or availability impact depending on the approved action.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 87% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

8.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade OpenClaw to version 2026.5.18 or later immediately — this is the only complete fix.
WORKAROUND (if patching is delayed): Restrict QQBot channel access so only authorized approvers can view and interact with approval request messages. Disable native approval buttons and use an out-of-band approval mechanism.
DETECTION

Review QQBot interaction logs for approval events where the approving user is not in the configured approver list. Alert on any approval action performed by a non-approver identity.
AUDIT

Review all plugin and exec approvals made since the last known-good version was deployed to identify potentially unauthorized actions taken.
COMPENSATING CONTROL

Implement network-level restrictions on QQBot webhook endpoints to limit exposure to trusted networks.

Classification

Auth Bypass Code Execution Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 14 - Human Oversight

ISO 42001

A.6.2.6 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35630?

OpenClaw's QQBot integration fails to verify that the user clicking an approval button is actually a configured approver, meaning any low-privilege user in the chat environment can approve pending execution or plugin requests that were explicitly gated behind human authorization controls. This matters because AI agent approval workflows are the primary human-in-the-loop safety mechanism preventing unauthorized code execution and plugin invocations — bypassing them collapses the entire oversight layer in a single click. The CVSS 8.0 vector (AV:N/AC:L/PR:L/UI:R) confirms this is network-reachable, requires no technical sophistication, and is exploitable by anyone with a valid QQBot account in the affected deployment. Upgrade immediately to OpenClaw 2026.5.18 or later; as a temporary workaround, restrict access to the QQBot interface to authorized approvers only and audit recent approval logs for anomalous approvers.

Is CVE-2026-35630 actively exploited?

No confirmed active exploitation of CVE-2026-35630 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35630?

1. PATCH: Upgrade OpenClaw to version 2026.5.18 or later immediately — this is the only complete fix. 2. WORKAROUND (if patching is delayed): Restrict QQBot channel access so only authorized approvers can view and interact with approval request messages. Disable native approval buttons and use an out-of-band approval mechanism. 3. DETECTION: Review QQBot interaction logs for approval events where the approving user is not in the configured approver list. Alert on any approval action performed by a non-approver identity. 4. AUDIT: Review all plugin and exec approvals made since the last known-good version was deployed to identify potentially unauthorized actions taken. 5. COMPENSATING CONTROL: Implement network-level restrictions on QQBot webhook endpoints to limit exposure to trusted networks.

What systems are affected by CVE-2026-35630?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent orchestration, human-in-the-loop approval pipelines, plugin-enabled AI agents.

What is the CVSS score for CVE-2026-35630?

CVE-2026-35630 has a CVSS v3.1 base score of 8.0 (HIGH).

AI Security Impact

Affected AI Architectures

agent frameworksAI agent orchestrationhuman-in-the-loop approval pipelinesplugin-enabled AI agents

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 14

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN-1.1

OWASP LLM Top 10: LLM08

Technical Details

Original Advisory

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

Exploitation Scenario

An adversary with a low-privilege QQBot account in an organization running OpenClaw observes that a pending exec approval request appears in the shared chat — for example, a request to run a database backup script or invoke a file-transfer plugin. Without any special privileges or technical knowledge, the attacker simply clicks the approval button. OpenClaw fails to check that the clicker is a configured approver and processes the approval, executing the pending command with full agent privileges. In a targeted attack, the adversary could first trigger a high-impact action themselves (e.g., by social-engineering a legitimate user to initiate a plugin request), then immediately approve it using their own unprivileged account before a legitimate approver can intervene. This gives the attacker arbitrary code execution within the AI agent's trust boundary.