CVE-2026-32051 OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access

OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perfo...

CVE-2026-32051

OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perfo...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an authenticated caller with operator.write scope to invoke the owner-only tool interface...

GHSA-2RQG-GJGV-84JM OpenClaw: Gateway `agent` calls could override the workspace boundary

Summary The public gateway agent RPC allowed an authenticated operator with operator.write to supply attacker-controlled spawnedBy and workspaceDir values. That let the caller re-root the agent run outside its configured workspace boundary. Impact A non-owner operator could escape the intended...

OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes

Summary An authorization mismatch in the gateway let an authenticated caller with only operator.write use browser.request to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through /profiles/create...

GHSA-VMHQ-CQM9-6P7Q OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes

Summary An authorization mismatch in the gateway let an authenticated caller with only operator.write use browser.request to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through /profiles/create...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send process. An attacker can perform unauthorized persistent configuration changes by routing /config set or /config unset commands through an...

OpenClaw: `operator.write` chat.send could reach admin-only config writes

Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw npm - Latest published vulnerable...

GHSA-HFPR-JHPQ-X4RM OpenClaw: `operator.write` chat.send could reach admin-only config writes

Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw npm - Latest published vulnerable...

CVE-2026-28473

OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway...

CVE-2026-28473

OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway...

CVE-2026-28473 OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command

OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway...

CVE-2026-28473

Summary of technical details for CVE-2026-28473 (OpenClaw) : OpenClaw versions prior to 2026.2.2 contain an authorization bypass in which a client with the operator.write scope can approve or deny exec approval requests by issuing the /approve chat command. The command path triggers exec.approval...

EUVD-2026-9919

OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.2 had security vulnerabilities. These vulnerabilities stemmed from an authorization bypass issue. Clients with access to the operator.write scope could approve or reject approval requests by sending...

Improper Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authorization in the system.run due to a parsing mismatch in allowlist checks for shell-chain payloads. An attacker can execute unauthorized shell commands on a paired macOS host...

GHSA-5F9P-F3W2-FWCH OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Summary In the macOS companion app currently beta, a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings. Impact This path requires all of the following: - authenticated caller with operator.write - paired macOS beta node...

GHSA-JR6X-2Q95-FH2G OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools

Summary An authorization mismatch allowed authenticated callers with operator.write access to invoke owner-only tool surfaces gateway, cron through agent runs in scoped-token deployments. Impact On affected deployments, write-scoped callers could perform control-plane actions beyond intended writ...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the /approve command. An attacker can gain unauthorized approval or denial of pending execution requests by sending specially crafted chat messages through a...

GHSA-MQPW-46FH-299H OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve

Summary What this means plain language If you give a client “chat/write” access to the gateway operator.write but you do not intend to let that client approve exec requests operator.approvals, affected versions could still let that client approve/deny a pending exec approval by sending the /appro...