Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
OpenClaw: Unauthorized Access to Admin Config Settings
GHSA-hfpr-jhpq-x4rm
Summary
An attacker with admin privileges and access to chat functionality can make unauthorized changes to OpenClaw's configuration settings. This can happen if an attacker uses the chat feature to bypass normal access controls. To fix this, only users with admin privileges can make changes to config settings through the chat feature, restoring the intended security boundary.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.2 | 2026.3.7 |
Original title
OpenClaw: `operator.write` chat.send could reach admin-only config writes
Original description
### Summary
A gateway client authenticated with `operator.write` could route `/config set` or `/config unset` through `chat.send` and reach persistent config mutation even though direct config RPC methods are admin-scoped.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published vulnerable version: `2026.3.2`
- Affected range: `<= 2026.3.2`
- Patched in: `2026.3.7`
### Details
Before the fix, `chat.send` ran slash commands in an internal gateway-chat context with `CommandAuthorized: true`, and `/config` write paths only checked command authorization plus `commands.config` / `channels.<provider>.configWrites` gates. That allowed an authenticated `operator.write` gateway client to bridge into persistent config writes even though direct `config.*` RPC methods remain `operator.admin` scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent `/config set|unset` writes routed through gateway `chat.send` now require `operator.admin`
- read-only `/config show` remains available to normal write-scoped gateway clients
- normal messaging-channel `/config` behavior remains unchanged
### Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with `operator.write`, `chat.send` access, and `/config` command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
### Fix Commit(s)
- `5f8f58ae25e2a78f31b06edcf26532d634ca554e`
### Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
A gateway client authenticated with `operator.write` could route `/config set` or `/config unset` through `chat.send` and reach persistent config mutation even though direct config RPC methods are admin-scoped.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published vulnerable version: `2026.3.2`
- Affected range: `<= 2026.3.2`
- Patched in: `2026.3.7`
### Details
Before the fix, `chat.send` ran slash commands in an internal gateway-chat context with `CommandAuthorized: true`, and `/config` write paths only checked command authorization plus `commands.config` / `channels.<provider>.configWrites` gates. That allowed an authenticated `operator.write` gateway client to bridge into persistent config writes even though direct `config.*` RPC methods remain `operator.admin` scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent `/config set|unset` writes routed through gateway `chat.send` now require `operator.admin`
- read-only `/config show` remains available to normal write-scoped gateway clients
- normal messaging-channel `/config` behavior remains unchanged
### Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with `operator.write`, `chat.send` access, and `/config` command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
### Fix Commit(s)
- `5f8f58ae25e2a78f31b06edcf26532d634ca554e`
### Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
4.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026