Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
OpenClaw: Unauthorized Access to Admin Actions through Plugin Routes
GHSA-xw77-45gv-p728
Summary
A security issue in OpenClaw allows external requests to perform admin actions without proper authorization. This could lead to sensitive data being deleted or accessed. To fix this, update OpenClaw to version 2026.3.11 or later.
What to do
- Update openclaw to version 2026.3.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | > 2026.3.7 , <= 2026.3.11 | 2026.3.11 |
Original title
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Original description
## Summary
In affected versions of `openclaw`, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using `auth: "plugin"` could therefore trigger admin-only gateway actions without normal gateway authorization.
## Impact
This is a critical authorization bypass. An external unauthenticated request to a plugin-owned route could reach privileged subagent runtime methods and perform admin-only gateway actions such as deleting sessions, reading session data, or triggering agent execution.
## Affected Packages and Versions
- Package: `openclaw` (npm)
- Affected versions: `>= 2026.3.7, < 2026.3.11`
- Fixed in: `2026.3.11`
## Technical Details
The new plugin subagent runtime preserved neither the original caller's auth context nor least-privilege scope. Instead, it executed gateway dispatches through a fabricated operator client with administrative scopes, which was reachable from plugin-owned routes that intentionally bypass normal gateway auth so plugins can perform their own webhook verification.
## Fix
OpenClaw now preserves real authorization boundaries for plugin subagent calls instead of dispatching them through synthetic admin scopes. The fix shipped in `[email protected]`.
## Workarounds
Upgrade to `2026.3.11` or later.
In affected versions of `openclaw`, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using `auth: "plugin"` could therefore trigger admin-only gateway actions without normal gateway authorization.
## Impact
This is a critical authorization bypass. An external unauthenticated request to a plugin-owned route could reach privileged subagent runtime methods and perform admin-only gateway actions such as deleting sessions, reading session data, or triggering agent execution.
## Affected Packages and Versions
- Package: `openclaw` (npm)
- Affected versions: `>= 2026.3.7, < 2026.3.11`
- Fixed in: `2026.3.11`
## Technical Details
The new plugin subagent runtime preserved neither the original caller's auth context nor least-privilege scope. Instead, it executed gateway dispatches through a fabricated operator client with administrative scopes, which was reachable from plugin-owned routes that intentionally bypass normal gateway auth so plugins can perform their own webhook verification.
## Fix
OpenClaw now preserves real authorization boundaries for plugin subagent calls instead of dispatching them through synthetic admin scopes. The fix shipped in `[email protected]`.
## Workarounds
Upgrade to `2026.3.11` or later.
ghsa CVSS3.1
9.4
Vulnerability type
CWE-269
Improper Privilege Management
CWE-285
Improper Authorization
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026