Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with low-privilege authentication required; integrity high due to policy bypass; scope unchanged as impact remains within the vulnerable OpenClaw system.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.
AnalysisAI
OpenClaw versions before 2026.4.25 expose an authorization bypass via unvalidated user-controlled group IDs in the tool group policy resolver, enabling authenticated low-privilege network attackers to manipulate access-control decisions for tool invocations. The CVSS 4.0 vector assigns VI:H (High integrity impact on the vulnerable system), reflecting that successful exploitation can cause the policy engine to grant or deny tool permissions contrary to the intended configuration. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AT:P metric indicates a specific attack requirement limits opportunistic mass exploitation.
Technical ContextAI
OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements a tool group policy system in which policy callers resolve access decisions based on group identifiers. The root cause is CWE-639 (Authorization Through User-Controlled Key): the policy resolver accepts group IDs supplied by the caller without validating that the provided ID corresponds to the caller's actual assigned group or a permitted group scope. This class of flaw - sometimes called Insecure Direct Object Reference at the authorization layer - allows a user to substitute an arbitrary group ID and receive the policy entitlements associated with that foreign group, whether more or less permissive than their own. The flaw is in the 'tool group policy callers' layer, meaning the validation gap exists before the policy engine processes the request, not within the engine's own enforcement logic.
RemediationAI
The primary remediation is to upgrade OpenClaw to version 2026.4.25 or later, which introduces proper input validation for group IDs in the tool group policy callers. The vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7 should be consulted for release notes and any additional guidance. If immediate patching is not feasible, the most specific compensating control is to restrict which authenticated roles or users are permitted to supply group IDs to the policy resolver - enforcing that callers can only reference their own assigned group and not arbitrary IDs at the API or middleware layer would eliminate the attack surface without requiring a code change. A secondary control is to audit policy resolver invocation logs for group ID values that do not match the invoking user's provisioned groups, as this would identify exploitation attempts. Be aware that adding a strict allow-list at the integration layer may break legitimate workflows if any current callers intentionally traverse multiple group policies by design.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37165
GHSA-8wmm-344f-mpjg