OpenClaw, Missing Authorization, CVE-2026-XXXXX (Medium)

Listen to this Post

The vulnerability stems from a missing authorization check in OpenClaw’s internal control plane. Specifically, an authenticated internal Gateway caller with the `operator.write` scope can execute mutating `/allowlist` commands that should require the higher-privileged `operator.admin` scope. The issue exists because the `/allowlist` command handler in `src/auto-reply/reply/commands-allowlist.ts` (lines 251-254) only uses a basic `rejectUnauthorizedCommand(…)` check, which is insufficient for distinguishing between `write` and `admin` scopes. The mutating logic, located in lines 386-524, performs persistent writes to both the configuration-backed `allowFrom` entries and the pairing-store-backed allowlist without invoking requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). This creates a discrepancy where peer commands like /config, /mcp, /plugins, and `/acp` already enforce the `admin` scope for mutations. An attacker with `operator.write` access can route a slash command through chat.send, execute /allowlist add dm channel=telegram 789, and observe successful persistent changes despite lacking `operator.admin` privileges. The flaw was introduced in commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` and affects versions from `v2026.1.20` through v2026.3.23.
Platform: OpenClaw
Version: v2026.3.23
Vulnerability: Missing Authorization
Severity: Medium
date: 2026-03-24

Prediction: Patch expected: 2026-03-24

What Undercode Say:

Check vulnerable version
git checkout v2026.3.23
Reproduce with operator.write context
curl -X POST http://localhost:3000/chat.send \
-H "Content-Type: application/json" \
-d '{"provider":"webchat","surface":"webchat","scopes":["operator.write"],"command":"/allowlist add dm channel=telegram 789"}'

how Exploit:

1. Authenticate as internal Gateway caller.

2. Ensure scopes contain `operator.write`.

3. Send slash command via `chat.send`.

4. Execute `/allowlist add dm channel=telegram 789`.

5. Observe persistent config/store changes.

Protection from this CVE:

  • Upgrade to OpenClaw version `2026.3.24` or later.
  • Apply patch adding `requireGatewayClientScopeForInternalChannel(…, [“operator.admin”], …)` to commands-allowlist.ts.
  • Audit all mutating internal chat commands for missing scope enforcement.

Impact:

  • Unauthorized persistent modifications to allowlist.
  • Bypass of internal `operator.admin` scope requirement.
  • Potential for privilege escalation via allowlist manipulation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top