Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
OpenClaw Configuration and Debugging Pages Accessible to Authorized Users
GHSA-r7vr-gr74-94p8
Summary
Non-owners with command authorization could access and modify sensitive configuration and debugging settings in OpenClaw. This could result in unintended changes to the system. To fix this, update to OpenClaw version 2026.3.12 or later.
What to do
- Update openclaw to version 2026.3.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.12 |
Original title
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces
Original description
### Summary
OpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.
### Impact
This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.
OpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.
### Impact
This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.
ghsa CVSS3.1
8.8
Vulnerability type
CWE-285
Improper Authorization
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8
- https://github.com/openclaw/openclaw/pull/44305
- https://github.com/openclaw/openclaw/commit/08aa57a3de37d337b226ae861f573779f112...
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12
- https://github.com/advisories/GHSA-r7vr-gr74-94p8
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026