Listen to this Post
In OpenClaw versions up to 2026.3.2, a critical flaw in authorization scope enforcement allowed authenticated gateway clients with `operator.write` privileges to perform persistent configuration mutations. The vulnerability stemmed from inconsistent handling of slash commands in the `chat.send` method. While direct Remote Procedure Call (RPC) methods for configuration (like /config set) were correctly restricted to `operator.admin` scope, the `chat.send` handler processed these same slash commands in an internal gateway-chat context that automatically set CommandAuthorized: true. The `/config` write paths only checked this command authorization flag and the presence of `commands.config` or `channels.chat.send, while maintaining read-only access for write-scoped clients and leaving standard messaging channel behavior unchanged.
Platform: npm
Version: <=2026.3.2
Vulnerability: Auth Bypass
Severity: Medium
Date: March 9, 2026
Prediction: March 8, 2026
What Undercode Say:
Analytics
The vulnerability affects the npm package `openclaw` in versions up to `2026.3.2` . The exploit requires an authenticated gateway client with `operator.write` privileges and `chat.send` access where `/config` command support is enabled. Attack complexity is high due to these prerequisites, and the maintainer-assigned severity is medium as it represents a scoped control-plane privilege mismatch rather than a broad unauthenticated compromise. The fix was implemented in commit `5f8f58ae25e2a78f31b06edcf26532d634ca554e` and released in npm version `2026.3.7` on March 8, 2026.
How Exploit:
The exploit leverages the authorization inconsistency between direct RPC methods and slash command handlers. An attacker with `operator.write` access cannot directly call `/config set` via RPC, but can achieve the same effect through chat.send. The proof of concept involves sending a chat message containing a `/config set` command, which the vulnerable versions process with elevated privileges due to the `CommandAuthorized: true` context. The following demonstrates the attack flow:
Authenticate as operator.write client openclaw auth login --token operator_write_token Attempt direct config change (fails - requires admin) openclaw rpc config.set --key "some.setting" --value "malicious" Bypass via chat.send (succeeds in vulnerable versions) openclaw chat.send --message "/config set some.setting malicious"
Protection from this CVE
Immediate protection requires upgrading to OpenClaw version `2026.3.7` or later. The fix enforces proper authorization by requiring `operator.admin` for persistent config writes through any vector, including chat.send. For deployments unable to upgrade immediately, administrators should:
– Audit all gateway clients with `operator.write` access
– Temporarily disable `/config` command support in affected channels
– Monitor logs for unauthorized config changes via `chat.send`
– Restrict `chat.send` access to trusted clients only
Verify your version and upgrade using:
Check current version npm list openclaw Upgrade to patched version npm install [email protected] Verify upgrade openclaw --version
Impact
The vulnerability allows authenticated `operator.write` clients to perform unauthorized persistent configuration mutations, effectively gaining write access to settings that should require administrative privileges. While exploitation requires specific preconditions, successful attacks could modify system behavior, alter security settings, or disrupt service operations. The impact is limited to configuration changes only, not arbitrary code execution or data breaches, but the ability to persistently modify configuration represents a significant privilege escalation within the control plane.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

