GHSA-HFPR-JHPQ-X4RM
Vulnerability from github – Published: 2026-03-09 19:54 – Updated: 2026-03-09 19:54Summary
A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.3.2 - Affected range:
<= 2026.3.2 - Patched in:
2026.3.7
Details
Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.<provider>.configWrites gates. That allowed an authenticated operator.write gateway client to bridge into persistent config writes even though direct config.* RPC methods remain operator.admin scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent /config set|unset writes routed through gateway chat.send now require operator.admin
- read-only /config show remains available to normal write-scoped gateway clients
- normal messaging-channel /config behavior remains unchanged
Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with operator.write, chat.send access, and /config command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
Fix Commit(s)
5f8f58ae25e2a78f31b06edcf26532d634ca554e
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:54:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA gateway client authenticated with `operator.write` could route `/config set` or `/config unset` through `chat.send` and reach persistent config mutation even though direct config RPC methods are admin-scoped.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.2`\n- Affected range: `\u003c= 2026.3.2`\n- Patched in: `2026.3.7`\n\n### Details\nBefore the fix, `chat.send` ran slash commands in an internal gateway-chat context with `CommandAuthorized: true`, and `/config` write paths only checked command authorization plus `commands.config` / `channels.\u003cprovider\u003e.configWrites` gates. That allowed an authenticated `operator.write` gateway client to bridge into persistent config writes even though direct `config.*` RPC methods remain `operator.admin` scoped.\n\nThe fix keeps command functionality intact while restoring the intended scope boundary:\n- persistent `/config set|unset` writes routed through gateway `chat.send` now require `operator.admin`\n- read-only `/config show` remains available to normal write-scoped gateway clients\n- normal messaging-channel `/config` behavior remains unchanged\n\n### Impact\nThis is a real authorization mismatch, but exploitability requires an already authenticated gateway client with `operator.write`, `chat.send` access, and `/config` command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.\n\n### Fix Commit(s)\n- `5f8f58ae25e2a78f31b06edcf26532d634ca554e`\n\n### Release Process Note\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @tdjackey for reporting.",
"id": "GHSA-hfpr-jhpq-x4rm",
"modified": "2026-03-09T19:54:41Z",
"published": "2026-03-09T19:54:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5f8f58ae25e2a78f31b06edcf26532d634ca554e"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: `operator.write` chat.send could reach admin-only config writes"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.