Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to protected operator settings.
AnalysisAI
Prompt-injected AI models can escalate privileges and persist unauthorized configuration changes in OpenClaw gateway before version 2026.4.20 via insufficient authorization guards on agent-facing config.patch and config.apply endpoints. Authenticated attackers (PR:L) with model tool access can disable sandbox policies, enable malicious plugins, modify TLS/authentication settings, alter SSRF protections, reconfigure MCP servers, and weaken filesystem hardening-effectively bypassing operator-enforced security boundaries. Vendor-released patch available in version 2026.4.20. No evidence of active exploitation; EPSS data not available for this recently disclosed vulnerability.
Technical ContextAI
OpenClaw is an AI agent framework delivered as an npm package that provides gateway endpoints for model-driven configuration management. The vulnerability (CWE-862: Missing Authorization) exists in the authorization guard logic protecting the agent-facing gateway tool's config.patch and config.apply methods. These endpoints allow runtime configuration changes but failed to enforce access controls on operator-trusted configuration paths including agents.defaults.sandbox, agents.list[].sandbox, agents.list[].tools, tools.fs, plugins.allow, plugins.entries, hooks.token, browser.ssrfPolicy, and mcp.servers. The guard implementation did not cover per-agent overrides or array-entry patching via the mergeObjectArraysById pattern, enabling privilege escalation through nested configuration mutations. The CVSS vector AV:N indicates network-accessible endpoints, though exploitation requires authenticated access (PR:L) to the gateway tool system, not direct unauthenticated remote access to the gateway itself.
RemediationAI
Upgrade to OpenClaw version 2026.4.20 or later, which introduces comprehensive authorization guards blocking model-driven config.patch and config.apply mutations to operator-trusted configuration paths including sandbox policies, plugin enablement, gateway authentication/TLS settings, hook routing, MCP server configuration, SSRF policies, and filesystem hardening controls. The fix also prevents guard bypass via per-agent overrides and array-entry patching under agents.list[]. Installation via npm: 'npm install openclaw@2026.4.20' or 'npm update openclaw'. Vendor advisory and patch details available at https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc. If immediate patching is not feasible, implement these compensating controls with their trade-offs: (1) Disable or restrict the gateway tool from agent access by removing it from the agents.defaults.tools allowlist-this prevents legitimate model-driven gateway management workflows but eliminates the attack vector entirely. (2) Implement strict input validation and prompt injection detection on all user-supplied content reaching models with gateway tool access-reduces risk but cannot guarantee prevention of sophisticated injection techniques. (3) Enable comprehensive audit logging for all config.patch and config.apply operations with alerting on changes to protected paths listed in the advisory (sandbox, plugins.*, hooks.*, browser.ssrfPolicy, mcp.servers, tools.fs)-provides detection but not prevention, requiring manual incident response. (4) Run OpenClaw agents in isolated environments with read-only configuration mounted from external sources and restart-based configuration changes only-eliminates runtime mutation capability but sacrifices dynamic reconfiguration features. Each workaround involves operational friction and should be considered temporary until upgrade completion.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29146
GHSA-9fc9-8v4x-f5cp