Incorrect authorization in OpenClaw - CVE-2026-28473
Published: May 4, 2026
Vulnerability identifier: #VU129490
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-28473
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to approve or deny pending exec approval requests.
The vulnerability exists due to incorrect authorization in the /approve chat command path when handling chat messages containing the built-in /approve command. A remote user can send a chat message containing the /approve command to approve or deny pending exec approval requests.
This issue occurs because the command path invokes exec.approval.resolve via an internal privileged gateway client instead of enforcing the operator.approvals scope required for direct RPC calls.
How to mitigate CVE-2026-28473
Install security update from vendor's website.