CVE-2026-22172

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.12

Description OpenClaw contains an authorization bypass issue in the WebSocket connect path. This flaw allows shared-token or password-authenticated connections to self-declare elevated scopes, such as operator.admin, without server-side verification. An attacker can exploit this to perform administrative operations. The issue stems from a logic flaw where client-declared scopes were not properly bound on the server-side for certain connection types. This allowed a shared-authenticated client to present elevated scopes even without a device identity or trusted Control UI path.

Recommendations Versions prior to 2026.3.12 should be updated to version 2026.3.12 or later.