Detections
Analytics

CVE-2026-43574

medium

Description

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.

References

https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists

https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x

https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd

Details

Source: Mitre, NVD

Published: 2026-05-05

Updated: 2026-05-05

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium

CVSS v4

Base Score: 6

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00027