PT-2026-22443 · Npm · Openclaw

Published

2026-02-17

·

Updated

2026-02-17

CVSS v4.0

7.2

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

What this means (plain language)

If you give a client “chat/write” access to the gateway (operator.write) but you do not intend to let that client approve exec requests (operator.approvals), affected versions could still let that client approve/deny a pending exec approval by sending the /approve chat command.
This is mainly relevant for shared or multi-client setups where different tokens are intentionally scoped differently. Single-operator installs are typically less impacted.

Technical summary

A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command.
exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.

Affected Packages / Versions

  • openclaw (npm): < 2026.2.2

Fix

  • Fixed in openclaw 2026.2.2.
  • Fix commit(s): efe2a464afcff55bb5a95b959e6bd9ec0fef086e.
  • Change: when /approve is invoked from gateway clients (webchat/internal channel), it now requires the requesting client to have operator.approvals (or operator.admin).

Workarounds

  • Upgrade to openclaw >= 2026.2.2.
  • If you cannot upgrade: avoid issuing write-only device tokens to untrusted clients; disable text commands (commands.text=false) or restrict access to the webchat/control UI.

References

  • Fix: src/auto-reply/reply/commands-approve.ts
  • Coverage: src/auto-reply/reply/commands-approve.test.ts

Release Process Note

This advisory is kept in draft; once the fixed npm versions are available, it can be published without further edits.
Thanks @yueyueL for reporting.

Fix

Incorrect Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-269

Related Identifiers

GHSA-MQPW-46FH-299H

Affected Products

Openclaw