GHSA-R7VR-GR74-94P8: GHSA-r7vr-gr74-94p8: Improper Authorization and Privilege Escalation in OpenClaw
CVSS Score: 8.8 Published: 2026-03-13 Full Report: https://cvereports.com/reports/GHSA-R7VR-GR74-94P8
OpenClaw versions prior to v2026.3.12 contain an improper authorization vulnerability in the command dispatcher logic. A missing ownership validation check allows any user on the general allowlist to execute highly sensitive administrative commands. This flaw exposes the bot configuration and debug surfaces, leading to potential information disclosure and service disruption.
A missing authorization gate in OpenClaw allows standard authorized users to bypass access controls and execute administrative commands like /config and /debug. Upgrading to v2026.3.12 mitigates the issue by enforcing strict owner validation checks.
- CWE ID: CWE-285, CWE-863
- Attack Vector: Network
- CVSS Score: 8.8
- Impact: Privilege Escalation, Information Disclosure
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
- OpenClaw
- OpenClaw: < v2026.3.12 (Fixed in:
v2026.3.12)
- Upgrade OpenClaw instances to version v2026.3.12 or later.
- Rotate any API keys, database credentials, or access tokens managed by the bot if exploitation is suspected.
- Enforce strict identity-based access controls for internal message channels.
Remediation Steps:
- Pull the latest openclaw release from the package repository (v2026.3.12).
- Rebuild and deploy the bot application.
- Monitor application logs for the message pattern
Ignoring /config from non-owner sender. - Test the configuration endpoints using a standard non-owner user account to ensure access is denied.
- GitHub Advisory: GHSA-r7vr-gr74-94p8
- Fix Commit 08aa57a3de37d337b226ae861f573779f112ff2e
- OpenClaw Release v2026.3.12
- OSV Record GHSA-r7vr-gr74-94p8
Generated by CVEReports - Automated Vulnerability Intelligence