Listen to this Post
How the mentioned CVE works:
The vulnerability exists in the OpenClaw npm package versions below 2026.4.20. The Control UI’s “assistant-media” route is designed to handle media file and metadata requests. This route authenticates callers that come through a trusted proxy, but it fails to enforce the required operator scopes when the request uses identity-bearing HTTP authentication paths. Specifically, the route does not check for the “operator.read” scope on the authenticated caller. As a result, a trusted-proxy caller who has successfully passed gateway authentication—but lacks the “operator.read” permission—can still access assistant-media files and metadata. The access is limited to files inside the allowed media roots, and media‑root checks are still performed. However, any file or metadata within those roots becomes accessible without the intended scope restriction. The attacker must be a trusted proxy caller, meaning they already have some level of network trust but not the necessary operator scope. The severity is low because the route still requires valid gateway authentication and media‑root boundary checks. The fix introduces an explicit “operator.read” scope check on identity‑bearing HTTP auth paths, closing the bypass.
dailycve form:
Platform: npm
Version: <2026.4.20
Vulnerability: Scope bypass
Severity: Low
date: 2026-04-25
Prediction: Already patched 2026-04-20
Analytics under What Undercode Say:
Count vulnerable installations (hypothetical npm audit) npm audit --json | jq '.actions[] | select(.module=="openclaw") | .vulnerabilities' Check installed openclaw version npm list openclaw --depth=0 Daily vulnerable request pattern (simulated log grep) grep "assistant-media" /var/log/openclaw/access.log | grep "scope=missing"
Exploit:
As a trusted-proxy caller with valid gateway auth but no operator.read curl -X GET "https://target/control-ui/assistant-media/file?id=secret.txt" \ -H "X-Forwarded-For: trusted_proxy_ip" \ -H "Authorization: Bearer <valid_gateway_token_without_operator.read>" Expected (vulnerable) response: file contents Fixed response: 403 Forbidden - operator.read required
Protection from this CVE:
- Upgrade openclaw to version 2026.4.20 or later.
- If unable to upgrade, apply the patch commit 99ef3a63c58440d53f8e45ad861b846032fcb036 manually.
- Enforce strict network segmentation so that only fully trusted proxies can reach the Control UI.
- Audit all identity‑bearing HTTP auth paths for missing scope checks.
Impact:
Low severity. An authenticated attacker with trusted proxy access but without operator.read can read media files and metadata inside allowed media roots. The attack does not bypass gateway authentication or media‑root boundaries, limiting the exposure to authorized media content only.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
