Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
OpenClaw: Authenticated Gateway Client Can Change Config Settings
GHSA-hfpr-jhpq-x4rm
Summary
A hacker with an authenticated gateway account can change important settings on a system by sending a specific message, even though they shouldn't have that permission. To fix this, the system now requires an admin-level account for this action, and only admins will be able to change settings this way. If you're using OpenClaw version 2026.3.2 or earlier, update to version 2026.3.7 or later to be safe.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.7 |
Original title
OpenClaw: `operator.write` chat.send could reach admin-only config writes
Original description
### Summary
A gateway client authenticated with `operator.write` could route `/config set` or `/config unset` through `chat.send` and reach persistent config mutation even though direct config RPC methods are admin-scoped.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published vulnerable version: `2026.3.2`
- Affected range: `<= 2026.3.2`
- Patched in: `2026.3.7`
### Details
Before the fix, `chat.send` ran slash commands in an internal gateway-chat context with `CommandAuthorized: true`, and `/config` write paths only checked command authorization plus `commands.config` / `channels.<provider>.configWrites` gates. That allowed an authenticated `operator.write` gateway client to bridge into persistent config writes even though direct `config.*` RPC methods remain `operator.admin` scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent `/config set|unset` writes routed through gateway `chat.send` now require `operator.admin`
- read-only `/config show` remains available to normal write-scoped gateway clients
- normal messaging-channel `/config` behavior remains unchanged
### Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with `operator.write`, `chat.send` access, and `/config` command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
### Fix Commit(s)
- `5f8f58ae25e2a78f31b06edcf26532d634ca554e`
### Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
A gateway client authenticated with `operator.write` could route `/config set` or `/config unset` through `chat.send` and reach persistent config mutation even though direct config RPC methods are admin-scoped.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published vulnerable version: `2026.3.2`
- Affected range: `<= 2026.3.2`
- Patched in: `2026.3.7`
### Details
Before the fix, `chat.send` ran slash commands in an internal gateway-chat context with `CommandAuthorized: true`, and `/config` write paths only checked command authorization plus `commands.config` / `channels.<provider>.configWrites` gates. That allowed an authenticated `operator.write` gateway client to bridge into persistent config writes even though direct `config.*` RPC methods remain `operator.admin` scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent `/config set|unset` writes routed through gateway `chat.send` now require `operator.admin`
- read-only `/config show` remains available to normal write-scoped gateway clients
- normal messaging-channel `/config` behavior remains unchanged
### Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with `operator.write`, `chat.send` access, and `/config` command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
### Fix Commit(s)
- `5f8f58ae25e2a78f31b06edcf26532d634ca554e`
### Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
osv CVSS3.1
4.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026