OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists

6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.

Basic Information

ID CVE-2026-43574

Source VulnCheck

Published May 5, 2026 at 11:25

Modified May 5, 2026 at 12:19

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-183

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.",
    "published": "2026-05-05T11:25:13.823Z",
    "modified": "2026-05-05T12:19:57.990Z",
    "type": "cve",
    "title": "OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x\nhttps://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd\nhttps://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists",
    "id": "CVE-2026-43574",
    "bulletinFamily": "",
    "cwe": [
        "CWE-183"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists_CVE-2026-43574