OpenClaw: Six Authorization and Scope Bypass CVEs Disclosed in Single Advisory
Six vulnerabilities spanning scope bypass, authorization flaws, and policy bypass were disclosed in OpenClaw on May 29, 2026, with patches already available across three release versions.
Key findings
- CVE-2026-35674 (CVSS 8.8) is the most severe — a scope bypass in Gateway chat.send that lets operator.write clients escalate to privileged commands
- CVE-2026-35630 (CVSS 8.0) allows non-approver users to click QQBot approval buttons and resolve pending requests
- CVE-2026-32905 (CVSS 8.3) lets non-owner chat senders issue device-pairing bootstrap codes without scope validation
- Fixes span four release versions: 2026.4.29, 2026.5.4, 2026.5.12, and 2026.5.18
- No in-the-wild exploitation has been reported for any of the six CVEs
- The batch reveals systemic permission-enforcement gaps across QQBot, Slack, Gateway, and device-pair integrations
Six security vulnerabilities in OpenClaw — the open-source, multi-platform chat-ops and automation gateway — were disclosed together on May 29, 2026, spanning scope bypass, authorization failures, and policy enforcement gaps. The batch affects versions prior to three different patch releases (2026.4.29, 2026.5.4, 2026.5.12, and 2026.5.18), meaning administrators need to verify their deployment's exact version against multiple fix points. The most severe of the group carries a CVSS score of 8.8 and involves a scope-bypass chain in the Gateway chat.send route.
**Scope bypass in Gateway chat.send (CVE-2026-35674, CVSS 8.8).** The highest-severity finding in the batch is a scope bypass in the Gateway's chat.send route. According to the advisory, clients holding operator.write scope can deliver commands through inherited external routes, effectively bypassing the operator.approvals and operator.admin scope requirements. This means an attacker who already has limited write access can escalate to privileged command execution without proper authorization checks. The fix was shipped in OpenClaw 2026.5.18.
**Authorization bypass in QQBot approval buttons (CVE-2026-35630, CVSS 8.0).** A separate high-severity flaw was found in the QQBot native approval buttons. The advisory states that the approval mechanism fails to enforce the configured approver identity, allowing non-approver users to click approval buttons and resolve pending exec or plugin approval requests. This effectively nullifies the intended approval workflow for QQBot-based operations. Patched in version 2026.5.18.
**Authorization bypass in device-pair plugin (CVE-2026-32905, CVSS 8.3).** The bundled device-pair plugin contains an authorization bypass that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll unauthorized devices with operator or node privileges. This vulnerability was fixed in OpenClaw 2026.5.4.
**SSRF policy bypass in browser debug and export routes (CVE-2026-35673, CVSS 6.5).** A medium-severity Server-Side Request Forgery (SSRF) policy bypass was identified in browser debug and export routes. The flaw allows reuse of already-open blocked tabs, enabling attackers with access to these routes to bypass private-network SSRF policies and export or inspect content that should remain protected. Patched in version 2026.4.29.
**Policy bypass in QQBot admin commands (CVE-2026-34507, CVSS 5.4).** Another QQBot-related flaw allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked. This was also fixed in OpenClaw 2026.4.29.
**Privilege escalation in Slack plugin approvals (CVE-2026-32906, CVSS 4.3).** The lowest-severity finding in the batch affects Slack plugin approvals. Exec-authorized users can resolve plugin approvals through the exec approver gate, bypassing intended approval splits. Attackers with limited exec approval permissions can approve plugin actions outside their designated operator scope. Fixed in OpenClaw 2026.5.12.
Patch status and response. OpenClaw has released fixes across four version milestones: 2026.4.29 (addressing CVE-2026-35673 and CVE-2026-34507), 2026.5.4 (addressing CVE-2026-32905), 2026.5.12 (addressing CVE-2026-32906), and 2026.5.18 (addressing CVE-2026-35674 and CVE-2026-35630). Administrators running versions prior to these cutoffs should update to the latest available release for their deployment track. No in-the-wild exploitation has been reported for any of the six CVEs at the time of disclosure.
Why this batch matters. The six CVEs share a common thread: OpenClaw's permission and scope enforcement mechanisms had multiple gaps across different integration points — QQBot, Slack, the Gateway chat layer, and the device-pair plugin. For organizations using OpenClaw as a central chat-ops gateway, these vulnerabilities collectively represent a risk of privilege escalation and policy bypass that could undermine the separation-of-duties model the platform is designed to enforce. Administrators should prioritize updating to at least version 2026.5.18 to close all disclosed paths.