CVE-2026-43574

MEDIUM CVSS 6.5 View on NVD ↗

Description

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd
https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x
https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists

Published: May 05, 2026 12:16 UTC Modified: May 05, 2026 19:32 UTC