Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.6

OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode

GHSA-g374-mggx-p6xc
Summary

## Summary
Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode

## Current Maintainer Triage
- Normalized severity: high
- Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive ...

What to do
  • Update openclaw to version 2026.3.31.
Affected software
VendorProductAffected versionsFix available
openclaw <= 2026.3.28 2026.3.31
Original title
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
Original description
## Summary
Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode

## Current Maintainer Triage
- Normalized severity: high
- Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive on a real identity-bearing auth path; the complete fix is unreleased.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `8b88b927cb0747ad24d95b07d35682bf85dc5b0e` — 2026-03-30T14:19:00+01:00

OpenClaw thanks @north-echo for reporting.
ghsa CVSS4.0 8.6
Vulnerability type
CWE-863 Incorrect Authorization
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026