DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2CH6-X3G4-7759: GHSA-2CH6-X3G4-7759: Authorization Bypass in OpenClaw via Identity Confusion

#security #cve #cybersecurity #ghsa

GHSA-2CH6-X3G4-7759: Authorization Bypass in OpenClaw via Identity Confusion

Vulnerability ID: GHSA-2CH6-X3G4-7759
CVSS Score: 8.1
Published: 2026-03-03

A critical authorization bypass vulnerability exists in OpenClaw, an open-source personal AI assistant. The flaw resides in the command authorization logic within src/auto-reply/command-auth.ts, specifically in how the application resolves sender identities. Due to insufficient validation of the ctx.From field, the system may treat a conversation container identifier (such as a Group JID or Channel ID) as a valid user identity. If an administrator inadvertently adds a group identifier to the allowFrom configuration, every member of that conversation gains administrative privileges, allowing them to execute privileged commands. This vulnerability affects all versions prior to 2026.3.2.

TL;DR

OpenClaw versions before 2026.3.2 suffer from an identity confusion vulnerability where group/channel IDs are treated as valid user identities. If a group ID is allowlisted, all members of that group can execute administrative commands.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287
  • Vulnerability Type: Identity Confusion
  • CVSS Score: 8.1
  • Attack Vector: Network
  • Affected Component: src/auto-reply/command-auth.ts
  • Fix Commit: 08e2aa44e78a9c946d97bea62304e6f533b8fa8e

Affected Systems

  • OpenClaw Personal AI Assistant
  • OpenClaw: < 2026.3.2 (Fixed in: 2026.3.2)

Code Analysis

Commit: 08e2aa4

Fix identity confusion in command auth by filtering conversation IDs

function isConversationLikeIdentity(value: string): boolean { ... }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.3.2 or later immediately.
  • Audit openclaw.json and remove any entries in commands.allowFrom that represent groups, channels, or topics.
  • Restrict commands.allowFrom exclusively to unique user identifiers (e.g., specific Telegram UIDs or E.164 phone numbers).

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Pull the latest docker image or update the source code: git pull origin main.
  3. Verify the version in package.json is >= 2026.3.2.
  4. Open your configuration file (usually openclaw.json or config.json).
  5. Locate the commands section and the allowFrom array.
  6. Remove any strings containing @g.us (WhatsApp Groups) or negative integers (Telegram Groups).
  7. Restart the OpenClaw service.

References

Read the full report for GHSA-2CH6-X3G4-7759 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)