Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw: Unauthorized Senders Can Disrupt Sessions and View Sensitive Data
GHSA-8m9v-xpgf-g99m
Summary
An open version of OpenClaw has a security issue that allows unauthorized users to stop active sessions and view sensitive information. This could happen if an attacker sends certain types of messages. To stay secure, update to the latest version of OpenClaw, which includes a fix for this problem.
What to do
- Update openclaw to version 2026.3.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.1 |
Original title
OpenClaw has an unauthorized sender bypass in its stop triggers and /models command authorization
Original description
### Summary
Unauthorized senders could trigger two command paths without sender authorization checks:
1. stop-like natural-language abort triggers
2. `/models` command output
### Impact
An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated.
### Fix
Sender authorization is now enforced for stop-like abort triggers and `/models` listings.
### Affected and Patched Versions
- Affected: `<= 2026.2.26`
- Patched: `2026.3.1`
Unauthorized senders could trigger two command paths without sender authorization checks:
1. stop-like natural-language abort triggers
2. `/models` command output
### Impact
An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated.
### Fix
Sender authorization is now enforced for stop-like abort triggers and `/models` listings.
### Affected and Patched Versions
- Affected: `<= 2026.2.26`
- Patched: `2026.3.1`
ghsa CVSS4.0
6.9
Vulnerability type
CWE-863
Incorrect Authorization
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026