Listen to this Post
The vulnerability exists because the `/allowlist` command in OpenClaw Gateway performs persistent configuration writes without re-validating the caller’s gateway client scopes. The gateway’s design separates `chat.send` as a write-scoped action (operator.write) and direct configuration mutation as an admin-scoped action (operator.admin). An attacker with `operator.write` scope can call chat.send, which creates an internal message context with `CommandAuthorized: true` and passes the client’s scopes. When the `/allowlist add|remove` command is invoked, `resolveCommandAuthorization(…)` marks the request as isAuthorizedSender=true, granting command execution. The handler then proceeds to clone the config, apply edits via plugin.allowlist.applyConfigEdit(...), and persist changes with writeConfigFile(validated.config). No sink-side check enforces that the caller has `operator.admin` before the write occurs. In contrast, endpoints like `/config` and `/plugins` include this internal admin check. This creates a control-plane mismatch: a client limited to `operator.write` can mutate channel authorization policy (e.g., allowFrom, groupAllowFrom) through /allowlist, a privilege reserved for `operator.admin` in direct configuration patches.
Platform: OpenClaw Gateway
Version: Before 2026.3.24
Vulnerability: Privilege Escalation
Severity: Medium
Date: 2026-03-31
Prediction: Patch date 2026-03-24
What Undercode Say:
Simulated vulnerable request chain
Attacker with operator.write scope sends a chat message containing the command
curl -X POST https://gateway/chat.send \
-H "Authorization: Bearer <operator_write_token>" \
-d '{"message": "/allowlist add dm @attacker"}'
Exploit:
Authenticated write-scoped client calls chat.send with crafted /allowlist command, bypassing admin scope check to modify channel allowlist policies.
Protection from this CVE:
Update to OpenClaw version 2026.3.24 or later; apply sink-side admin scope validation for /allowlist writes.
Impact:
Unauthorized modification of channel authorization policies, allowing privilege escalation and weakening of documented control-plane isolation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

