OpenClaw, Improper Authorization, CVE-2026-XXXXX (Moderate)

Listen to this Post

How the CVE Works

The vulnerability resides in the `/allowlist` command handler, which lacks proper owner-only enforcement when processing cross‑channel allowlist write operations. In OpenClaw, certain privileged commands are designated as ownerOnly, meaning they should be executable exclusively by the session owner—typically the user who owns the OpenClaw instance. The `/allowlist` command falls into this category because modifying the allowlist can grant or revoke access to sensitive resources.
However, the command handler for `/allowlist` only verifies that the sender is command‑authorized (i.e., can issue commands at all), but it does not enforce that the sender is the owner of the channel for which the allowlist write is intended. As a result, a non‑owner sender who is already authorized to execute commands on their own channel can exploit this oversight to write allowlist entries against a different channel.

The attack flow is as follows:

  1. An attacker must already be an authorized sender on some channel (e.g., a group chat where they have command privileges).
  2. The attacker issues a `/allowlist –store` command targeting a different channel’s allowlist.
  3. Because the command handler does not check that the target channel belongs to the session owner, it accepts the cross‑channel write.
  4. The attacker successfully adds or modifies allowlist entries for a channel they do not own, potentially granting themselves unauthorized access or escalating privileges.
    The root cause is an improper account scoping when writing to the persistent pairing store. The system correctly resolves the account ID for read operations, but write operations bypass the owner check, allowing a sub‑account user to elevate privileges to the default account scope. The vulnerability is tracked as CWE‑285 (Improper Authorization) and CWE‑668 (Exposure of Resource to Wrong Sphere). It has a CVSS score of 6.5 (Moderate), with high integrity impact and a proof‑of‑concept exploit available.
    The issue was fixed by enforcing owner‑only validation in the `/allowlist` command handler, ensuring that any write operation is rejected unless the sender is the owner of the targeted channel. The patch was committed to the `main` branch and released in npm package version 2026.4.8. The verified fix is contained in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

dailycve form

Platform: OpenClaw npm
Version: ≤2026.4.1
Vulnerability : Improper Authorization
Severity: Moderate
date: 2026-04-09

Prediction: Patch 2026-04-08

What Undercode Say

The vulnerability highlights the importance of consistent authorization checks across all code paths. To mitigate similar issues, enforce owner‑only checks at the command handler level and use regression tests to verify that privileged commands cannot be abused across channels.

Bash Commands and Codes

Check your OpenClaw version
npm list openclaw
Upgrade to the patched version
npm install [email protected]
Verify the fix is applied
grep -r "ownerOnly" ~/.openclaw/credentials/.json

Exploit

  1. Ensure you have command authorization on a channel (e.g., a group chat where you can send `/allowlist` commands).
  2. Identify a target channel owned by another user (e.g., a different group or DM).
  3. Send a crafted `/allowlist –store` command that writes a new allowlist entry for the target channel, e.g., /allowlist –store channel_id=target add user=attacker.
  4. Because the owner check is omitted, the write operation succeeds, granting the attacker unauthorized access to the target channel’s resources.

Protection from this CVE

Immediate Action: Upgrade OpenClaw to version 2026.4.8 or later.
If upgrading is not possible: Manually edit the JSON credential files in `~/.openclaw/credentials/` and remove any allowlist entries that lack an `accountId` key or that belong to unexpected channels.
Long‑term Hardening: Restrict permissions for the `/allowlist` command using a Web Application Firewall (WAF) or API gateway, and enforce strict channel‑based access controls.

Impact

Integrity: An attacker can modify allowlist entries for channels they do not own, potentially granting themselves unauthorized access or elevating privileges.
Confidentiality: Low – the vulnerability does not directly expose sensitive data.
Availability: Low – the attack does not disrupt service availability.
Scope: Cross‑channel privilege escalation. An authenticated non‑owner can write allowlist rules for any channel, bypassing the intended owner‑only restriction.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top