GHSA-mgq6-vr84-7m2j

GHSA-mgq6-vr84-7m2j HIGH
Published July 2, 2026

### Summary OpenClaw's QQBot channel can deliver native approval buttons for exec and plugin approvals. In affected releases, the button callback path resolved approvals without enforcing the configured QQBot approver identity. The text command approval path used the authorization check; the...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.5.18 2026.5.18
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
8.0 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A High

What should I do?

Patch available

Update OpenClaw to version 2026.5.18

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-mgq6-vr84-7m2j?

### Summary OpenClaw's QQBot channel can deliver native approval buttons for exec and plugin approvals. In affected releases, the button callback path resolved approvals without enforcing the configured QQBot approver identity. The text command approval path used the authorization check; the issue was specific to native QQBot approval buttons. ### Affected configurations This affects deployments where QQBot native approval buttons are enabled and an approval message is visible to a QQ user who is not configured as an approver. ### Impact A non-approver who could see the approval message could click an approval button and resolve the pending request. Depending on the pending approval, this could allow an exec or plugin action that should have required an authorized approver. ### Patched Versions The first stable patched version is `2026.5.18`. ### Mitigations Upgrade to `openclaw@2026.5.18` or later. Before upgrading, avoid delivering native approval buttons into QQ conversations that include users who should not be able to approve.

Is GHSA-mgq6-vr84-7m2j actively exploited?

No confirmed active exploitation of GHSA-mgq6-vr84-7m2j has been reported, but organizations should still patch proactively.

How to fix GHSA-mgq6-vr84-7m2j?

Update to patched version: OpenClaw 2026.5.18.

What is the CVSS score for GHSA-mgq6-vr84-7m2j?

GHSA-mgq6-vr84-7m2j has a CVSS v3.1 base score of 8.0 (HIGH).

What are the technical details?

Original Advisory

### Summary OpenClaw's QQBot channel can deliver native approval buttons for exec and plugin approvals. In affected releases, the button callback path resolved approvals without enforcing the configured QQBot approver identity. The text command approval path used the authorization check; the issue was specific to native QQBot approval buttons. ### Affected configurations This affects deployments where QQBot native approval buttons are enabled and an approval message is visible to a QQ user who is not configured as an approver. ### Impact A non-approver who could see the approval message could click an approval button and resolve the pending request. Depending on the pending approval, this could allow an exec or plugin action that should have required an authorized approver. ### Patched Versions The first stable patched version is `2026.5.18`. ### Mitigations Upgrade to `openclaw@2026.5.18` or later. Before upgrading, avoid delivering native approval buttons into QQ conversations that include users who should not be able to approve.

Weaknesses (CWE)

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities