GHSA-RQPP-RJJ8-7WV8: GHSA-RQPP-RJJ8-7WV8: Privilege Escalation via Logic Flaw in OpenClaw WebSocket Authentication
CVSS Score: 9.9 Published: 2026-03-13 Full Report: https://cvereports.com/reports/GHSA-RQPP-RJJ8-7WV8
A critical logic flaw in the OpenClaw gateway's WebSocket authentication mechanism allows remote attackers authenticated via shared secrets to arbitrarily elevate their authorization scopes to administrative levels.
OpenClaw versions 2026.3.11 and prior fail to strip client-declared scopes during WebSocket handshakes for shared-token connections, permitting low-privilege users to obtain 'operator.admin' access.
- CWE ID: CWE-269, CWE-862
- Attack Vector: Network
- CVSS Base Score: 9.9
- Impact: Administrative Privilege Escalation
- Exploit Status: Proof of Concept Available
- KEV Status: Not Listed
- OpenClaw Gateway WebSocket Endpoint
- openclaw npm package
- openclaw: <= 2026.3.11 (Fixed in:
2026.3.12)
- Upgrade the openclaw package to version 2026.3.12 or higher.
- Restrict network access to the OpenClaw gateway via IP allowlists or VPN requirements.
- Deprecate the use of shared-token authentication in favor of explicit, device-linked identities.
- Disable trusted-proxy mode if not strictly required to mitigate the CSWSH attack vector.
Remediation Steps:
- Identify all deployments of the openclaw package within the infrastructure.
- Update the dependency in package.json to ^2026.3.12.
- Execute package manager update commands (e.g., npm install or yarn install) to pull the patched version.
- Restart the OpenClaw gateway service to apply the new connection handling logic.
- Review WebSocket connection logs for historical indicators of compromise.
Generated by CVEReports - Automated Vulnerability Intelligence