Listen to this Post
The vulnerability stems from a missing authorization check in OpenClaw’s internal control plane. Specifically, an authenticated internal Gateway caller with the `operator.write` scope can execute mutating `/allowlist` commands that should require the higher-privileged `operator.admin` scope. The issue exists because the `/allowlist` command handler in `src/auto-reply/reply/commands-allowlist.ts` (lines 251-254) only uses a basic `rejectUnauthorizedCommand(…)` check, which is insufficient for distinguishing between `write` and `admin` scopes. The mutating logic, located in lines 386-524, performs persistent writes to both the configuration-backed `allowFrom` entries and the pairing-store-backed allowlist without invoking requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). This creates a discrepancy where peer commands like /config, /mcp, /plugins, and `/acp` already enforce the `admin` scope for mutations. An attacker with `operator.write` access can route a slash command through chat.send, execute /allowlist add dm channel=telegram 789, and observe successful persistent changes despite lacking `operator.admin` privileges. The flaw was introduced in commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` and affects versions from `v2026.1.20` through v2026.3.23.
Platform: OpenClaw
Version: v2026.3.23
Vulnerability: Missing Authorization
Severity: Medium
date: 2026-03-24
Prediction: Patch expected: 2026-03-24
What Undercode Say:
Check vulnerable version
git checkout v2026.3.23
Reproduce with operator.write context
curl -X POST http://localhost:3000/chat.send \
-H "Content-Type: application/json" \
-d '{"provider":"webchat","surface":"webchat","scopes":["operator.write"],"command":"/allowlist add dm channel=telegram 789"}'
how Exploit:
1. Authenticate as internal Gateway caller.
2. Ensure scopes contain `operator.write`.
3. Send slash command via `chat.send`.
4. Execute `/allowlist add dm channel=telegram 789`.
5. Observe persistent config/store changes.
Protection from this CVE:
- Upgrade to OpenClaw version `2026.3.24` or later.
- Apply patch adding `requireGatewayClientScopeForInternalChannel(…, [“operator.admin”], …)` to
commands-allowlist.ts. - Audit all mutating internal chat commands for missing scope enforcement.
Impact:
- Unauthorized persistent modifications to allowlist.
- Bypass of internal `operator.admin` scope requirement.
- Potential for privilege escalation via allowlist manipulation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

