⚠ Withdrawn by GitHub Security Advisories
Withdrawn: July 2, 2026
GHSA-hx4v-668p-g2qrHighCVSS 8.0Disclosed before NVD
Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity
📋 Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mgq6-vr84-7m2j. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.
🎯 Affected products1
- npm/openclaw:< 2026.5.18