EUVD-2026-17026
GHSA-5w3r-prr4-7j25
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory.
Analysis
Authorization bypass in OpenClaw gateway agent RPC enables authenticated operators with operator.write permission to escape workspace boundaries and execute arbitrary operations outside designated directories. Attackers supply malicious spawnedBy and workspaceDir parameters to perform file and exec operations from any process-accessible location. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenClaw deployments and identify versions prior to 2026.3.11; restrict RPC access via network segmentation and firewall rules to trusted operator networks only. Within 7 days: Contact OpenClaw vendor for patch availability and upgrade timeline; implement principle of least privilege by auditing and removing unnecessary operator.write permissions from service accounts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today