Lucene search
K

4 matches found

OSV
OSV
added 2026/07/02 4:6 p.m.4 views

GHSA-HW9R-H9MR-4JFF OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates

Summary Some internal command handlers require operator.approvals or operator.admin scopes. In affected releases, a scoped Gateway chat.send request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes...

8.8CVSS5.8AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:22 p.m.12 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send route. An attacker can perform unauthorized privileged actions by leveraging inherited external routes to bypass required scope checks, enabling...

8.8CVSS5.5AI score0.00253EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 3:11 p.m.42 views

CVE-2026-35674 OpenClaw < 2026.5.18 - Scope Bypass via Inherited chat.send Route

OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scop...

8.8CVSS0.00253EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 3:11 p.m.40 views

CVE-2026-35674

OpenClaw prior to 2026.5.18 has a scope bypass vulnerability in the Gateway chat.send route. If an attacker holds operator.write scope, they can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized mutations t...

8.8CVSS5.9AI score0.00253EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder