Skip to main content

OpenClaw CVE-2026-45001

| EUVDEUVD-2026-29146 MEDIUM
Missing Authorization (CWE-862)
2026-05-11 VulnCheck GHSA-9fc9-8v4x-f5cp
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
May 11, 2026 - 18:22 NVD
HIGH MEDIUM
CVSS changed
May 11, 2026 - 18:22 NVD
7.1 (HIGH) 6.0 (MEDIUM)
Source Code Evidence Fetched
May 11, 2026 - 17:46 vuln.today
Analysis Generated
May 11, 2026 - 17:46 vuln.today
CVE Published
May 11, 2026 - 16:46 nvd
HIGH 7.1

DescriptionCVE.org

OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to protected operator settings.

AnalysisAI

Prompt-injected AI models can escalate privileges and persist unauthorized configuration changes in OpenClaw gateway before version 2026.4.20 via insufficient authorization guards on agent-facing config.patch and config.apply endpoints. Authenticated attackers (PR:L) with model tool access can disable sandbox policies, enable malicious plugins, modify TLS/authentication settings, alter SSRF protections, reconfigure MCP servers, and weaken filesystem hardening-effectively bypassing operator-enforced security boundaries. Vendor-released patch available in version 2026.4.20. No evidence of active exploitation; EPSS data not available for this recently disclosed vulnerability.

Technical ContextAI

OpenClaw is an AI agent framework delivered as an npm package that provides gateway endpoints for model-driven configuration management. The vulnerability (CWE-862: Missing Authorization) exists in the authorization guard logic protecting the agent-facing gateway tool's config.patch and config.apply methods. These endpoints allow runtime configuration changes but failed to enforce access controls on operator-trusted configuration paths including agents.defaults.sandbox, agents.list[].sandbox, agents.list[].tools, tools.fs, plugins.allow, plugins.entries, hooks.token, browser.ssrfPolicy, and mcp.servers. The guard implementation did not cover per-agent overrides or array-entry patching via the mergeObjectArraysById pattern, enabling privilege escalation through nested configuration mutations. The CVSS vector AV:N indicates network-accessible endpoints, though exploitation requires authenticated access (PR:L) to the gateway tool system, not direct unauthenticated remote access to the gateway itself.

RemediationAI

Upgrade to OpenClaw version 2026.4.20 or later, which introduces comprehensive authorization guards blocking model-driven config.patch and config.apply mutations to operator-trusted configuration paths including sandbox policies, plugin enablement, gateway authentication/TLS settings, hook routing, MCP server configuration, SSRF policies, and filesystem hardening controls. The fix also prevents guard bypass via per-agent overrides and array-entry patching under agents.list[]. Installation via npm: 'npm install openclaw@2026.4.20' or 'npm update openclaw'. Vendor advisory and patch details available at https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc. If immediate patching is not feasible, implement these compensating controls with their trade-offs: (1) Disable or restrict the gateway tool from agent access by removing it from the agents.defaults.tools allowlist-this prevents legitimate model-driven gateway management workflows but eliminates the attack vector entirely. (2) Implement strict input validation and prompt injection detection on all user-supplied content reaching models with gateway tool access-reduces risk but cannot guarantee prevention of sophisticated injection techniques. (3) Enable comprehensive audit logging for all config.patch and config.apply operations with alerting on changes to protected paths listed in the advisory (sandbox, plugins.*, hooks.*, browser.ssrfPolicy, mcp.servers, tools.fs)-provides detection but not prevention, requiring manual incident response. (4) Run OpenClaw agents in isolated environments with read-only configuration mounted from external sources and restart-based configuration changes only-eliminates runtime mutation capability but sacrifices dynamic reconfiguration features. Each workaround involves operational friction and should be considered temporary until upgrade completion.

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-45001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy