OpenClaw, Improper Authorization, CVE-2026-XXXXX (Medium)

Listen to this Post

How the Mentioned CVE Works

The vulnerability exists in OpenClaw versions prior to v2026.3.24, specifically within the command authorization logic for the `/send` command. The core issue is a flaw in the `handleSendPolicyCommand` function located at `src/auto-reply/reply/commands-session.ts` (lines 212-239). This handler is designed to mutate the session’s sendPolicy, which controls whether replies are delivered in a chat. According to the documentation, this command is strictly owner-only, intended to be a privileged action.
However, the authorization check in the vulnerable code path only verifies params.command.isAuthorizedSender, a flag that determines if a user is permitted to run any command based on configurations like commands.allowFrom. This check fails to enforce the stricter `senderIsOwner` requirement. The `senderIsOwner` status is computed separately in `src/auto-reply/command-auth.ts` (lines 401-407), and a sender can be command-authorized (able to run commands) without being the owner.
A non-owner but command-authorized sender can issue /send off, /send on, or /send inherit. The handler, seeing isAuthorizedSender === true, proceeds to modify the `sessionEntry.sendPolicy` and calls persistSessionEntry(params). This action persistently changes the session’s delivery behavior. This bypasses the documented owner-only contract for the `/send` command, effectively allowing a lower-privileged user to control a core session setting. The issue was verified on the latest affected tag, v2026.3.23, and is distinct from previous advisories like GHSA-r7vr-gr74-94p8, which covered similar authorization flaws for `/config` and `/debug` commands.

dailycve form:

Platform: OpenClaw
Version: v2026.1.14-1 to v2026.3.23
Vulnerability: Improper Authorization
Severity: Medium
date: 2026-03-24

Prediction: 2026-03-24

What Undercode Say:

Analytics on the flaw reveal a classic case of authorization logic separation. The following bash commands demonstrate the state change using the affected version.

Clone the vulnerable tag
git clone https://github.com/openclaw/openclaw.git
cd openclaw
git checkout v2026.3.23
Simulate a non-owner but authorized sender (conceptual)
The vulnerability is in the handler logic, not a direct command-line exploit.
This shows the condition that triggers the flaw.
echo "Trigger condition: isAuthorizedSender=true && senderIsOwner=false"
Code snippet from src/auto-reply/reply/commands-session.ts
The handler only checks isAuthorizedSender, not owner status.
if (params.command.isAuthorizedSender) {
// Mutate sendPolicy without owner check
}

Exploit:

A non-owner user with command authorization (e.g., added to commands.allowFrom) can execute the `/send` command. By sending /send off, they can disable all future replies in the current session, effectively silencing the bot. Conversely, they can re-enable replies with `/send on` if the owner had disabled them, or reset the policy with /send inherit. This exploitation requires no additional privileges beyond being allowed to run commands and having an active session.

Protection from this CVE

  • Upgrade: Immediately update to OpenClaw version v2026.3.24 or later, which includes the fix that enforces owner status for the `/send` command.
  • Mitigation: If an immediate upgrade is not possible, restrict the `commands.allowFrom` configuration to only include fully trusted users, or disable the `/send` command via command allow/deny lists.
  • Monitoring: Audit logs for unauthorized usage of the `/send` command by non-owner users to identify potential exploitation attempts.

Impact

  • Availability: An attacker can suppress all replies in a session (/send off), causing a denial of service for the bot’s intended functionality within that chat.
  • Integrity: A non-owner can alter the session’s delivery policy, violating the documented owner-only control and potentially misleading participants about the bot’s configuration.
  • Scope: The impact is limited to persistent session-state mutation. It does not lead to code execution, sandbox escape, or cross-host compromise. The severity is assessed as Medium.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top