Listen to this Post
A critical vulnerability in OpenClaw versions up to 2026.3.11 allowed an attacker to gain elevated privileges by exploiting a flaw in the WebSocket connection handshake. The gateway component failed to properly validate shared-authentication scopes for certain device-less connections. Specifically, when a connection was made using a shared token or password but did not originate from the trusted Control UI path, the system did not clear the client-declared scopes. This meant a malicious client could initiate a WebSocket connection and present a high-privilege scope like `operator.admin` in its connection parameters. Because the server-side logic did not bind these scopes to a validated device identity or the specific UI context, it accepted the self-declared scopes. This effectively allowed an unprivileged shared-secret holder to perform administrative actions, crossing the intended authorization boundary and granting full control over the gateway and its connected nodes .
DailyCVE Form:
Platform: OpenClaw
Version: ≤ 2026.3.11
Vulnerability : Authorization Bypass
Severity: Critical
date: Mar 13 2026
Prediction: Patched (2026.3.12)
What Undercode Say:
Analytics:
This vulnerability is a classic case of missing server-side authorization checks on a critical path. The flaw lies in the assumption that a client-declared scope can be trusted without verification against a known device or a secure context like the Control UI . This is particularly dangerous in the AI agent ecosystem, where OpenClaw acts as a central orchestrator with access to sensitive data and system commands . The ability to escalate to `operator.admin` effectively turns any shared-secret user into a full administrator, bypassing all multi-tenant or least-privilege boundaries. This incident, patched in the 2026.3.12 release alongside other security fixes, highlights the risks of complex agent workflows where authentication and authorization states are not consistently enforced across all connection types .
Bash Commands and Codes:
Check your current OpenClaw version to see if it is vulnerable.
openclaw --version If version is 2026.3.11 or lower, it is vulnerable.
Verify the fix by checking the gateway logs for cleared scope messages after update.
After updating to 2026.3.12, attempt a connection and check logs grep "Clearing unbound scopes for non-Control-UI connection" /var/log/openclaw/gateway.log
Inspect the WebSocket handshake for scope declaration (for educational purposes in a lab).
// Example of a malicious WebSocket client trying to elevate scopes (DO NOT USE ON PRODUCTION)
const WebSocket = require('ws');
const ws = new WebSocket('ws://localhost:18792/connect', {
headers: {
'Authorization': 'Bearer SHARED_TOKEN',
'X-OpenClaw-Scopes': 'operator.admin' // The self-declared elevated scope
}
});
How Exploit:
An attacker would first obtain or guess a shared secret (token/password) used for device-less backend authentication. This could be achieved via brute-forcing, as previous vulnerabilities showed no rate-limiting on localhost connections . With a valid shared token, the attacker then crafts a WebSocket connection request to the OpenClaw gateway. In the connection parameters, they include a scope they should not have, such as operator.admin. Because the vulnerable gateway logic checks for the presence of the shared token but does not validate the associated scopes against a device identity or the Control UI origin, it accepts the connection with the elevated privileges. The attacker can now send commands to control the AI agent, access configurations, and execute actions on all connected nodes, achieving full system compromise from a single browser tab or script .
Protection from this CVE:
- Immediate Update: The most critical step is to update OpenClaw to version 2026.3.12 or later, which contains the patch that clears unbound scopes for non-Control-UI shared-auth connections .
- Network Segmentation: Follow OpenClaw’s deployment guidance to ensure the gateway WebSocket is only reachable from a trusted network. Use firewall rules to restrict access to localhost and trusted internal IPs only .
- Strong Authentication: Enforce strong, unique shared secrets and consider using Tailscale with strict ACLs to add a layer of device-level authentication before the application layer .
- Audit Connections: Regularly monitor gateway logs for connections from unexpected origins or connections that attempt to declare scopes. Look for patterns of failed and successful authentication attempts .
Impact:
A successful exploit completely breaks the authorization model of OpenClaw. An attacker with a low-privilege shared token can escalate to a full administrator (operator.admin). This leads to:
– Full Agent Control: The attacker can instruct the AI agent to perform any action, such as reading private messages, extracting API keys from Slack history, and exfiltrating sensitive files .
– Node Compromise: The attacker can enumerate all connected nodes (e.g., laptops, phones) and execute arbitrary shell commands on them, leading to a full workstation compromise .
– Data Breach and Persistence: With admin access, an attacker can dump all configurations, conversation logs, and set up backdoors for persistent access, turning the AI assistant into a long-term surveillance tool .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
