Listen to this Post
The vulnerability arises from an authorization flaw in the gateway’s `send` function, which fails to adequately distinguish between `operator.write` and higher-privileged roles like admin. An authenticated attacker possessing only the `operator.write` scope can craft a specific `send` command. This command is improperly routed through the system’s permission validation layer, bypassing checks for admin-class resources. Consequently, the attacker can reach and modify the Telegram bot configuration, which is typically an admin-only operation. Furthermore, the same flaw allows the attacker to persist their presence by injecting malicious entries into the gateway’s cron scheduler. The cron persistence mechanism, intended for system-level tasks, does not re-validate the caller’s privileges on the persistence layer, accepting the escalated context. The attack leverages the scoped-token deployment model, where tokens with `operator.write` are intended for limited chat operations. The vulnerable code path mishandles the propagation of the `callerScopes` context, effectively performing a privilege escalation where low-privilege write access equates to full control over the gateway’s control plane.
DailyCVE Form
Platform: openclaw
Version: <=2026.3.24
Vulnerability : Authorization mismatch
Severity: Medium
date: 2026-04-07
Prediction: 2026-03-28
What Undercode Say
Analytics on this vulnerability indicate a targeted attack vector. The following bash command can be used to check if a running OpenClaw instance is vulnerable by querying the npm registry for the installed version:
npm list openclaw | grep openclaw@
A Python script to simulate the authorization bypass by sending a crafted `send` command with an `operator.write` scoped token:
import requests
token = "YOUR_OPERATOR_WRITE_TOKEN"
payload = {"command": "send", "args": {"chatId": "admin_chat", "message": "/edit_config --telegram"}}
headers = {"Authorization": f"Bearer {token}"}
response = requests.post("https://target-gateway/api/v1/chat", json=payload, headers=headers)
print(response.text)
Exploit
The exploit is executed by an authenticated client with a token scoped to operator.write. The attacker sends a chat message or API call that invokes the `send` command with parameters targeting the admin-class Telegram configuration or cron job management functions. Because the gateway does not validate the caller’s scope for these specific internal routes, the command is executed with escalated privileges. For example, an attacker could send `/set_telegram_webhook` to hijack the bot or add a cron job to maintain backdoor access.
Protection from this CVE
Protection requires updating the OpenClaw package to a patched version. The fix is implemented in commit `b7d70ade` and is included in version `2026.3.28` and later. Users should upgrade immediately using the following npm command:
npm install openclaw@latest
Alternatively, apply the security patch by pulling the latest code from the official repository and rebuilding the gateway. Post-update, verify that the `operator.write` scope no longer allows access to admin-class resources.
Impact
A successful exploit allows an attacker with minimal `operator.write` permissions to completely compromise the OpenClaw gateway. The attacker can:
– Modify the Telegram bot configuration to intercept or hijack messages.
– Achieve persistent access by adding malicious cron jobs that survive gateway restarts.
– Potentially pivot to other admin-level functions, leading to full control over the AI assistant and any connected systems.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

