Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.21.
DescriptionCVE.org
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.
AnalysisAI
Authorization bypass in OpenClaw before 2026.4.21 allows non-owner senders to execute owner-enforced slash commands when channels are configured with wildcard inbound senders (allowFrom: ["*"]) without explicit owner allowFrom settings. Attackers with legitimate channel access can exploit this to bypass owner-only command authorization checks and execute commands such as /send, /config, or /debug. The vulnerability requires authenticated access to affected channels but is limited to command-owner authorization and does not grant tool access or gateway administrator scope.
Technical ContextAI
OpenClaw is a command-authorization framework that enforces owner-only command restrictions via the command-auth.ts module. The vulnerability stems from a logic error in resolveCommandAuthorization() where the authorization decision incorrectly reused the channel's wildcard inbound sender policy (allowFrom: ["*"]) as a fallback when resolving command ownership. When a plugin sets enforceOwnerForCommands: true but does not explicitly configure commands.ownerAllowFrom, the absence of concrete owner candidates was incorrectly treated as authorization success (allowAll condition). The root cause (CWE-863: Incorrect Authorization) is the failure to require a concrete owner identity or internal operator-admin scope before granting access to owner-enforced commands. The fix removes the permissive fallback, requiring explicit owner-candidate matching or internal operator.admin scope instead of treating wildcard allowFrom or empty owner-candidate lists as sufficient authorization.
RemediationAI
Upgrade OpenClaw to version 2026.4.21 or later immediately via npm update or package manager. The patched version enforces concrete owner identity matching and requires internal operator-admin scope instead of treating wildcard channel allowFrom as sufficient authorization. For environments unable to upgrade immediately, apply mitigations: configure explicit commands.ownerAllowFrom with intended owner identities instead of relying on default behavior, or avoid using wildcard (allowFrom: ["*"]) sender policies on channels with enforceOwnerForCommands: true enabled until upgrade completes. Workaround configuration does not fully prevent the vulnerability but significantly reduces exposure surface by limiting the affected configuration pattern. The vendor strongly recommends immediate upgrade to 2026.4.21 as the only complete fix. See https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v for detailed remediation guidance.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29136
GHSA-p3pv-c954-9m6f