Listen to this Post
A flaw in OpenClaw versions before 2026.2.2 allowed a client with a limited `operator.write` token to approve or deny pending execution requests. This happened because the internal pathway for the `/approve` chat command used a privileged gateway client that bypassed the standard permission checks. While the direct RPC method `exec.approval.resolve` correctly required the `operator.approvals` scope, the chat command did not, creating an authorization bypass. An attacker with only chat write access could therefore approve malicious commands that required administrative approval, effectively escalating their privileges within the platform. This issue is most critical in multi-tenant or shared environments where token scopes are used to enforce strict access controls.
Platform: OpenClaw
Version: < 2026.2.2
Vulnerability: Privilege Escalation
Severity: High
Date: 2026-02-17
Prediction: Patched (2026.2.2)
What Undercode Say:
Analytics:
This vulnerability represents a classic case of authorization bypass through inconsistent privilege checks. The core issue is that two different pathways to the same critical function (exec.approval.resolve) enforced different security policies. The RPC interface was secure, but the chat command interface, which ultimately called the same function, was not. This highlights the risk of “privileged” internal service clients that operate with higher permissions than the user initiating the action. For blue teams, this is a reminder to audit not just API endpoints, but also internal messaging and command handlers for consistent authorization. The fix, which now requires `operator.approvals` for the `/approve` command, closes this gap by aligning the permission model across all interfaces.
Bash Commands & Codes:
Check current OpenClaw version:
npm list openclaw or grep '"version"' package.json
Apply workaround by disabling text commands (if upgrade not immediately possible):
Set commands.text to false in your configuration file Example using jq to modify config.json jq '.commands.text = false' config.json > tmp.json && mv tmp.json config.json
Inspect commit that fixed the issue:
git log --oneline -n 1 efe2a464afcff55bb5a95b959e6bd9ec0fef086e
View the specific code change in the approve command handler:
git show efe2a464afcff55bb5a95b959e6bd9ec0fef086e src/auto-reply/reply/commands-approve.ts
How Exploit:
- Prerequisite: The attacker obtains a valid device token with only the `operator.write` scope (e.g., from a misconfigured client or leaked token).
- Connect: The attacker uses this token to authenticate to the OpenClaw gateway as a client.
- Monitor: They listen for or identify a pending `exec` request that requires approval (e.g., a command to run on the host system).
- Execute: The attacker sends a chat message containing the built-in command `/approve
` through the gateway. - Bypass: The vulnerable command handler processes the request using an internal privileged client, approving the execution even though the attacker’s token lacks the `operator.approvals` scope.
- Impact: The malicious command is executed with the privileges of the OpenClaw instance.
Protection:
- Immediate Upgrade: Update to OpenClaw version 2026.2.2 or later . This is the only complete fix.
- Token Hygiene: Avoid issuing `operator.write` tokens to untrusted or semi-trusted clients in multi-user setups. Adhere to the principle of least privilege.
- Disable Commands: If an upgrade is not possible, a strong workaround is to disable text commands entirely by setting `commands.text=false` in the OpenClaw configuration.
- Restrict Access: Limit access to the webchat or control UI to only trusted users and networks, reducing the attack surface where the `/approve` command could be injected.
Impact:
By exploiting this vulnerability, an attacker with only chat write access can approve arbitrary execution requests. This effectively grants them the ability to run system commands, modify configurations, or perform any action that would normally require an administrative approval. In shared environments, this breaks the intended tenant isolation, potentially leading to full host compromise if the approved commands are malicious.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

