⚠ Withdrawn by GitHub Security Advisories

Withdrawn: July 2, 2026

GHSA-hx4v-668p-g2qrHighCVSS 8.0Disclosed before NVD

Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity

Published
May 29, 2026
Last Modified
July 2, 2026

📋 Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mgq6-vr84-7m2j. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

🎯 Affected products1

  • npm/openclaw:< 2026.5.18

🔗 References (4)