CVE-2026-43574

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published May 05, 2026

Vendor unknown

Description

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.

References

https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd
https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x
https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists