GHSA-48VW-M3QC-WR99: Improper Privilege Management in OpenClaw Gateway Trusted-Proxy Sessions

The OpenClaw gateway relies on a WebSocket connection architecture to manage device communications and administrative commands. In enterprise environments, the gateway is frequently deployed behind a reverse proxy configured for trusted-proxy authentication. Under this configuration, the proxy is responsible for validating initial client identity and passing authentication headers downstream to the OpenClaw service.

A privilege management vulnerability (CWE-269) exists within the gateway's message handling component, specifically affecting how self-declared client scopes are validated. When a WebSocket connection request is received, the gateway evaluates the client's requested permissions against explicitly granted scopes or bound device identities. If a client attempts to claim permissions without authorization, the gateway must scrub these unbound scopes to prevent privilege escalation.

The vulnerability manifests when a connection originates from a trusted proxy and the client identifier is set to control-ui. The gateway's scope-scrubbing logic contains an exception that improperly exempts these specific sessions from permission validation. Consequently, an attacker can specify arbitrary privileged scopes during the initial handshake and retain them throughout the session lifecycle, granting unauthorized access to administrative Remote Procedure Calls (RPCs).

The root cause of the vulnerability resides in src/gateway/server/ws-connection/message-handler.ts. The gateway utilizes a function named clearUnboundScopes() to strip any permissions that a client self-declares but has not been cryptographically authorized to possess. This function acts as the primary defense mechanism against clients attempting to over-provision their own sessions.

The logic responsible for invoking this function evaluates three primary variables: the presence of a bound device (!device), whether the client identifies as the Control UI (isControlUi), and the outcome of the authentication decision (decision.kind). The flaw exists in the boolean evaluation used to bypass the scrubbing process for valid Control UI sessions.

When a request passes through a trusted proxy, the gateway automatically sets decision.kind to "allow" based on the proxy's validation. If the attacker simultaneously sets client.id to control-ui, the variable isControlUi evaluates to true. The conditional check (!isControlUi || decision.kind !== "allow") consequently evaluates to false, causing the execution flow to bypass the clearUnboundScopes() invocation entirely, leaving the self-declared attacker scopes intact.

The vulnerable code path is located in the message handler module. Prior to the patch, the conditional statement dictating whether to scrub unbound scopes failed to account for the context in which the "allow" decision was made. The original implementation is shown below.

// VULNERABLE CODE: src/gateway/server/ws-connection/message-handler.ts
if (!device && (!isControlUi || decision.kind !== "allow")) {
  clearUnboundScopes();
}

In this implementation, an attacker leveraging a trusted proxy achieves decision.kind === "allow". By declaring isControlUi === true, the secondary condition fails, and the code inside the block does not execute. The session inherits whatever scopes the attacker injected into the request payload.

The patch introduced in commit ccf16cd8892402022439346ae1d23352e3707e9e rectifies this logic gap by explicitly evaluating the trusted proxy authentication status. A new boolean flag, trustedProxyAuthOk, is introduced to the conditional statement.

// PATCHED CODE: src/gateway/server/ws-connection/message-handler.ts
if (!device && (!isControlUi || decision.kind !== "allow" || trustedProxyAuthOk)) {
  clearUnboundScopes();
}

By appending || trustedProxyAuthOk to the evaluation, the gateway enforces scope scrubbing for all connections authorized via the trusted proxy pathway, regardless of whether the client claims to be the Control UI. This modification mandates that proxied sessions rely strictly on scopes provided explicitly in the validated proxy headers rather than those self-declared in the client payload.

Exploitation requires the attacker to possess network access to an OpenClaw gateway deployed behind a reverse proxy configured for trusted-proxy authentication. The attacker must be able to route WebSocket upgrade requests through this proxy. No valid user credentials or pre-existing device pairings are necessary to execute the attack.

The attack begins with the initialization of a WebSocket connection to the gateway's /ws endpoint. The attacker structures the connection payload to spoof the Control UI identity by explicitly defining client: { id: "control-ui" }. Simultaneously, the attacker injects an array of high-privileged scopes, such as operator.admin, into the request parameters.

// Proof of Concept - Attack Execution
const ws = await openWs(port, { "X-Forwarded-User": "attacker" }); 
const res = await connectReq(ws, {
    skipDefaultAuth: true,
    scopes: ["operator.admin", "operator.read", "secrets.read"], 
    device: null,               
    client: { id: "control-ui" }, 
});

Upon processing the request, the proxy forwards the payload to the gateway. The gateway evaluates the connection, notes the trusted proxy headers, and approves the session without executing clearUnboundScopes(). The attacker immediately gains an active WebSocket session endowed with the operator.admin scope, permitting the execution of restricted RPC commands such as set-heartbeats or system configuration modifications.

Successful exploitation of this vulnerability yields complete administrative control over the OpenClaw gateway component. An attacker operating with the operator.admin scope bypasses all intended authorization boundaries, enabling unauthorized access to sensitive operational parameters and system configurations. The lack of requisite authentication or interaction renders the attack highly scalable against exposed instances.

The severity of the flaw is reflected in an estimated CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, producing a base score of 9.8 (Critical). The Attack Vector is Network (AV:N) due to the remote nature of WebSocket connections, and Privileges Required is None (PR:N) because the flawed logic accepts the unauthenticated connection based solely on the proxy's routing context.

The architectural consequences are substantial for deployments relying on trusted proxies. Attackers can leverage the compromised gateway to intercept device communications, alter gateway behavior, or extract sensitive telemetry data. Furthermore, administrative access provides a stable foundation for lateral movement within the broader deployment environment.

The definitive remediation strategy is upgrading the OpenClaw gateway software to version 2026.3.17 or later. This release incorporates the logic corrections implemented in commit ccf16cd8892402022439346ae1d23352e3707e9e, which properly enforces scope scrubbing for all connections authenticated via a trusted proxy. System administrators must prioritize patching instances that expose the WebSocket interface through reverse proxies.

In environments where immediate patching is unfeasible, administrators should harden the reverse proxy configuration. Ensure the proxy strictly sanitizes incoming HTTP headers and drops any unauthorized X-Forwarded-* headers injected by external clients. Additionally, administrators should audit the gateway.controlUi.allowedOrigins configuration directive, restricting it to specific, trusted administrative domains rather than utilizing wildcard (*) entries.

Security operations teams can implement detection mechanisms by actively monitoring gateway logs. Organizations should alert on WebSocket connection events where client.id equals control-ui but lacks a corresponding cryptographic device pairing event. A high frequency of such events originating from external IP addresses through the proxy infrastructure serves as a strong indicator of exploitation attempts.