Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenClaw: Malicious Channels Can Modify Protected Settings
GHSA-8jhh-jcqg-mj5p
Summary
The OpenClaw software has a bug that allows a hacker to modify settings of other accounts on the same gateway, even if those settings are protected. This could lead to unauthorized changes to your account's configuration. To fix this, update to OpenClaw version 2026.3.11 or later.
What to do
- Update openclaw to version 2026.3.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.11 |
Original title
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions
Original description
## Summary
In affected versions of `openclaw`, channel-initiated config mutations were authorized against the originating account's `configWrites` policy but did not consistently re-check the targeted account scope. An authorized sender on one account could mutate protected sibling-account configuration when the target account had `configWrites: false`.
## Impact
This is an account-scoped policy bypass inside a single gateway deployment. Channel commands such as `/config set channels.<provider>.accounts.<id>...` and config-backed `/allowlist ... --config --account <id>` could modify protected sibling-account configuration.
## Affected Packages and Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.8`
- Fixed in: `2026.3.11`
## Technical Details
The mutation path validated the origin account scope but did not consistently authorize every resolved target scope. Ambiguous collection and root writes under `channels` and `channels.<provider>.accounts` could therefore reach protected account configuration from channel command surfaces.
## Fix
OpenClaw now authorizes config mutations against both the origin scope and each resolved target scope, and it rejects ambiguous root and collection writes from channel commands unless the caller is an internal gateway client with `operator.admin`. The fix shipped in `[email protected]`.
## Workarounds
Upgrade to `2026.3.11` or later.
In affected versions of `openclaw`, channel-initiated config mutations were authorized against the originating account's `configWrites` policy but did not consistently re-check the targeted account scope. An authorized sender on one account could mutate protected sibling-account configuration when the target account had `configWrites: false`.
## Impact
This is an account-scoped policy bypass inside a single gateway deployment. Channel commands such as `/config set channels.<provider>.accounts.<id>...` and config-backed `/allowlist ... --config --account <id>` could modify protected sibling-account configuration.
## Affected Packages and Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.8`
- Fixed in: `2026.3.11`
## Technical Details
The mutation path validated the origin account scope but did not consistently authorize every resolved target scope. Ambiguous collection and root writes under `channels` and `channels.<provider>.accounts` could therefore reach protected account configuration from channel command surfaces.
## Fix
OpenClaw now authorizes config mutations against both the origin scope and each resolved target scope, and it rejects ambiguous root and collection writes from channel commands unless the caller is an internal gateway client with `operator.admin`. The fix shipped in `[email protected]`.
## Workarounds
Upgrade to `2026.3.11` or later.
ghsa CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-862
Missing Authorization
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026