CVE-2026-43574

MEDIUM

OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists

Title source: cna

Description

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

GitHub Security Advisory (GHSA-49cg-279w-m73x)

https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x

Patch patch

Patch Commit

https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists

https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 7.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-183

Status published

Products (3)

npm/openclaw 0 - 2026.4.12npm

OpenClaw/OpenClaw < 2026.4.12

OpenClaw/OpenClaw 2026.4.12

Published May 05, 2026

Tracked Since May 05, 2026