Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
OpenClaw Gateway Tool Access Too Broad in Some Cases
GHSA-2hm8-rqrm-xfjq
Summary
The OpenClaw gateway tool's access checks didn't always limit access to only owners, which means that non-owners might have been able to perform actions they shouldn't have. This issue only affects people who are already authenticated and using a specific tool within a direct message (DM) session. To fix this, the OpenClaw team updated their code to be more restrictive and added extra checks to make sure only owners can perform certain actions.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.19 | 2026.2.19 |
Original title
OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows
Original description
## Summary
In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.
## Impact
This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself.
## Root Cause
- Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes.
- Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.17` (latest published npm version as of February 19, 2026)
- Patched: `2026.2.19`
## Remediation
- Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified.
- Centralized owner-only enforcement in tool policy wrappers and tool metadata.
- Marked owner-only tools explicitly (`cron`, `gateway`, `whatsapp_login`) and removed duplicated per-tool owner checks.
- Refactored gateway call path internals into smaller helpers while preserving behavior and coverage.
## Fix Commit(s)
- `a40c10d3e24568b1e2947c104484be74bf66b8d2`
- `2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914`
- `3d7ad1cfca4daaa84cd553e843e0e08fa6201349`
OpenClaw thanks @Adam55A-code for reporting.
In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.
## Impact
This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself.
## Root Cause
- Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes.
- Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.17` (latest published npm version as of February 19, 2026)
- Patched: `2026.2.19`
## Remediation
- Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified.
- Centralized owner-only enforcement in tool policy wrappers and tool metadata.
- Marked owner-only tools explicitly (`cron`, `gateway`, `whatsapp_login`) and removed duplicated per-tool owner checks.
- Refactored gateway call path internals into smaller helpers while preserving behavior and coverage.
## Fix Commit(s)
- `a40c10d3e24568b1e2947c104484be74bf66b8d2`
- `2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914`
- `3d7ad1cfca4daaa84cd553e843e0e08fa6201349`
OpenClaw thanks @Adam55A-code for reporting.
ghsa CVSS4.0
4.8
Vulnerability type
CWE-269
Improper Privilege Management
CWE-863
Incorrect Authorization
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq
- https://github.com/openclaw/openclaw/commit/2777d8ad91ef1e8a7c6f5b4b18f8507be7d0...
- https://github.com/openclaw/openclaw/commit/3d7ad1cfca4daaa84cd553e843e0e08fa620...
- https://github.com/openclaw/openclaw/commit/a40c10d3e24568b1e2947c104484be74bf66...
- https://github.com/advisories/GHSA-2hm8-rqrm-xfjq
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026