GHSA-HFPR-JHPQ-X4RM: Authorization Bypass via Gateway Command Routing in OpenClaw

OpenClaw functions as an open-source AI agent infrastructure platform, utilizing a role-based access control system to govern interactions. Access to the platform's API and gateway interfaces is managed via OAuth-style scopes. The operator.admin scope is required for destructive or configuration-altering actions, while the operator.write scope is intended strictly for basic messaging and standard interaction features.

The vulnerability, identified as GHSA-HFPR-JHPQ-X4RM, resides in the gateway protocol's internal message routing logic. Clients authenticate to the OpenClaw gateway using their assigned scopes. However, the system fails to correctly enforce these boundaries when processing slash commands submitted via the chat.send interface. This allows an entity with minimal permissions to invoke administrative routines.

By encapsulating an administrative command within a standard chat payload, an attacker circumvents the direct API access controls. The gateway processes the internal message, identifies the command directive, and executes it without re-validating the caller's privilege level against the specific action's requirements. This results in an incorrect authorization state mapping to CWE-863 and CWE-285.

The fundamental flaw exists in the architectural divergence between direct RPC method calls and internal gateway command processing. OpenClaw exposes direct RPC endpoints for administrative tasks, which correctly interrogate the authorization context to verify the presence of the operator.admin scope. A direct API call to modify the configuration reliably rejects requests lacking this permission.

Conversely, the platform implements a chat.send interface designed for natural language interactions and slash-command processing. When a user submits a message such as /config set tools.bash.enabled=true, the gateway intercepts the input, parses the directive, and routes it to an internal command handler. Prior to version 2026.3.7, the handler located in src/auto-reply/reply/commands-config.ts validated only that the command subsystem was globally enabled.

The internal command processor neglected to verify the contextual scopes of the original chat.send requestor before enacting state changes. It operated under the flawed assumption that any command reaching the internal execution phase was inherently authorized. This omission created a parallel execution path where authorization checks were entirely bypassed for destructive configuration actions like set and unset.

Exploitation requires the attacker to possess valid credentials mapping to the operator.write scope. These credentials establish an authenticated session with the OpenClaw gateway. The attacker does not require administrative access, network positioning beyond the standard API gateway, or complex memory manipulation techniques.

The attacker initiates the exploit sequence by submitting a specially crafted payload via the chat.send protocol. The payload body contains a slash command targeting the configuration subsystem. A standard attack string resembles /config set tools.bash.enabled=true. The attacker sends this string exactly as they would send a legitimate chat message to the agent.

Upon receiving the payload, the OpenClaw gateway extracts the /config directive and routes it to the vulnerable command handler. The handler processes the mutation request, overwriting the specified key-value pair in the underlying openclaw.json configuration file. The platform acknowledges the modification and updates its operational state dynamically without requiring a restart.

Once the configuration is altered, the attacker leverages the newly enabled features. In the case of enabling the bash tool, the attacker utilizes standard platform functionality to execute arbitrary shell commands on the underlying host infrastructure. This completes the privilege escalation lifecycle from a restricted messaging user to a system-level actor.

The primary consequence of this vulnerability is the complete compromise of the platform's configuration integrity. An attacker with restricted operator.write privileges acquires the ability to arbitrarily alter the contents of openclaw.json. This configuration file dictates the operational parameters, security constraints, and active feature sets of the OpenClaw environment.

The secondary impact involves privilege escalation to remote code execution. By modifying specific configuration keys, such as enabling disabled tools or overriding security limits, the attacker weaponizes native application features. Enabling shell-execution plugins directly translates the authorization bypass into unauthenticated, host-level command execution within the context of the OpenClaw service account.

This vulnerability also affects related operational workflows, similar to the previously disclosed CVE-2026-28473. By manipulating the configuration, attackers alter approval hierarchies, disable auditing mechanisms, or modify persistent data stores. The blast radius encompasses both the application layer and the underlying host system, bounded only by the permissions of the OpenClaw process itself.

The remediation, introduced in commit 5f8f58ae25e2a78f31b06edcf26532d634ca554e, fundamentally alters the authorization architecture for internal command processing. The maintainers introduced a specialized helper function named requireGatewayClientScopeForInternalChannel within src/auto-reply/reply/command-gates.ts. This function extracts the GatewayClientScopes context directly from the incoming message envelope.

// Patched logic in command-gates.ts
export function requireGatewayClientScopeForInternalChannel(context: Context, requiredScope: string) {
  const scopes = context.get(GatewayClientScopes);
  if (!scopes || !scopes.includes(requiredScope)) {
    throw new UnauthorizedError(`Missing required scope: ${requiredScope}`);
  }
}

The patch integrates this helper into the vulnerable /config handler located in src/auto-reply/reply/commands-config.ts. The developer implemented conditional logic to differentiate between read-only actions and destructive mutations. If the parsed action evaluates to set or unset, the handler immediately invokes the scope check, requiring operator.admin.

// Patched logic in commands-config.ts
if (action === 'set' || action === 'unset') {
  requireGatewayClientScopeForInternalChannel(context, 'operator.admin');
  // Proceed with configuration mutation
}
// Read-only 'show' actions proceed without admin scope

This implementation successfully resolves the vulnerability by ensuring the gateway command parser enforces the same authorization requirements as the direct RPC interface. The decision to leave /config show accessible to operator.write preserves intended functionality for restricted users without compromising security. The patch also standardizes this gating mechanism across other sensitive commands, including /approve, addressing variant analysis.

The official resolution for GHSA-HFPR-JHPQ-X4RM is the installation of OpenClaw version 2026.3.7. Administrators must update affected deployments immediately to close the authorization bypass vector. The patch applies structural changes to the command routing logic and cannot be replicated via standard configuration toggles.

Prior to upgrading, organizations can deploy temporary mitigation strategies if immediate patching is unfeasible. Administrators should review the assigned scopes for all active gateway clients and revoke operator.write access from untrusted or unverified entities. Limiting network access to the OpenClaw gateway interface using strict firewall rules or mutually authenticated TLS (mTLS) minimizes the external attack surface.

Post-incident response procedures require a thorough audit of the openclaw.json configuration file. Security teams must verify that no unauthorized modifications occurred, paying specific attention to enabled tools, plugin states, and approval workflows. Discrepancies necessitate an investigation into active gateway sessions and potential credential rotation for compromised client identities.