PT-2026-26501 · Npm · Openclaw
Published
2026-03-09
·
Updated
2026-03-09
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Summary
A gateway client authenticated with
operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped.Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.3.2 - Affected range:
<= 2026.3.2 - Patched in:
2026.3.7
Details
Before the fix,
chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.<provider>.configWrites gates. That allowed an authenticated operator.write gateway client to bridge into persistent config writes even though direct config.* RPC methods remain operator.admin scoped.The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent
/config set|unsetwrites routed through gatewaychat.sendnow requireoperator.admin - read-only
/config showremains available to normal write-scoped gateway clients - normal messaging-channel
/configbehavior remains unchanged
Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with
operator.write, chat.send access, and /config command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.Fix Commit(s)
5f8f58ae25e2a78f31b06edcf26532d634ca554e
Release Process Note
npm
2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.Thanks @tdjackey for reporting.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw