HIGH 8.0 npm
Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity
GHSA-hx4v-668p-g2qr
Published · Modified
Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mgq6-vr84-7m2j. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.
Ready to move
Start Securing
Free, no credit card | First findings in minutes