Keensecuritylab

OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.

OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.

OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.

OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.6 **Description** A configuration enforcement bypass exists in Feishu dynamic-agent bindings. This issue allows authenticated senders to create or update bindings without adhering to the configured config-write controls. By leveraging the dynamic-agent binding feature, an attacker can modify the sender-agent binding state beyond the intended policy, which may lead to unauthorized binding modifications. **Recommendations** Update to version 2026.5.6.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.27 **Description** An authorization bypass exists in QQBot pre-dispatch slash commands. This issue allows authenticated senders to skip `allowFrom` policy checks, enabling them to invoke slash commands before configured access control policies are applied. Depending on the operator configuration, this may trigger command handling from senders who should be blocked. **Recommendations** Update to version 2026.4.27.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.6 **Description** An authorization bypass exists in native command handling. This allows authenticated senders to execute owner-only commands by bypassing configured owner-command access controls, enabling the execution of privileged commands by unauthorized users. **Recommendations** Update to version 2026.5.6.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.6 **Description** Improper access control in Mattermost event handlers occurs due to a failure to validate channel type metadata. This allows attackers to bypass intended Direct Message (DM) policy decisions by sending crafted Mattermost events that lack channel type information to process restricted content. **Recommendations** Update to version 2026.5.6.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.25 **Description** A policy bypass exists in the embedded runner policy. This issue allows requests using provider aliases to be compared against aliases rather than canonical provider identities. When the affected feature is enabled, this confusion can be exploited to obtain bundled tool access that exceeds the intended provider policy restrictions. **Recommendations** Update to version 2026.4.25.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.24 **Description** An authorization bypass exists in the MCP loopback feature. This allows non-owner callers to circumvent owner-only tool policies and before-tool-call hooks. When the feature is enabled and reachable, attackers can use the affected loopback path to invoke owner-only behavior and execute restricted tools. **Recommendations** Update to version 2026.4.24. As a temporary workaround, disable the MCP loopback feature to prevent unauthorized execution of restricted tools.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.6 **Description** An approval policy bypass exists in the Skill Workshop apply flow. This issue allows agent tool calls to set the `apply` variable to `true` even when the `approvalPolicy` is configured as `pending`. An attacker can reach the affected apply path to implement workshop changes before the required approval step, which may lead to unauthorized configuration modifications. **Recommendations** Update to version 2026.5.6.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.6 **Description** An authorization bypass exists in Telegram interactive callbacks. Authenticated users can bypass the `commands.allowFrom` validation by invoking affected callbacks to mark themselves as authorized senders before allowlist checks are applied. This allows the execution of command behavior that ignores configured Telegram sender restrictions. **Recommendations** Update to version 2026.5.6.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.20 **Description** A guard bypass exists in the agent-facing gateway endpoints "config.patch" and "config.apply". This issue fails to protect operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to these protected operator settings. **Recommendations** Update to version 2026.4.20 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.23 **Description** Improper access control in the gateway tool's 'config.apply' and 'config.patch' operations allows compromised models to bypass an incomplete denylist protection. This enables the writing of unsafe configuration changes that persist after a restart, potentially affecting command execution, network behavior, credentials, and operator policies. **Recommendations** Update to version 2026.4.23.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.20 **Description** A tool policy bypass allows bundled MCP (Model Context Protocol) and LSP (Language Server Protocol) tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, which bypasses profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies. **Recommendations** Update to version 2026.4.20.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.15 **Description** An arbitrary local file read issue exists in the webchat audio embedding helper due to a failure to apply local media root containment checks. Attackers can manipulate the `ReplyPayload.mediaUrl` parameter produced by agents or tools to resolve absolute local paths or file URLs. This allows the reading of audio-like files, which are then embedded as base64-encoded data into webchat responses. **Recommendations** Update to version 2026.4.15.