GHSA-9HJH-FR4F-GXC4: Privilege Escalation via WebSocket Reconnect in OpenClaw Gateway
Vulnerability ID: GHSA-9HJH-FR4F-GXC4
CVSS Score: 9.8
Published: 2026-03-27
A critical vulnerability in the OpenClaw gateway allows low-privilege operator identities to silently escalate their privileges to full administrative access. The flaw exists in the WebSocket handshake authorization logic, specifically within the backend reconnect bypass mechanism.
TL;DR
OpenClaw Gateway <= 2026.3.24 fails to validate requested scopes during backend WebSocket reconnects from local addresses, allowing low-privileged operators to silently claim operator.admin access.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-269
- Attack Vector: Network / WebSocket
- Impact: Privilege Escalation to Admin
- Exploit Status: PoC Available
Affected Systems
- OpenClaw Gateway
-
openclaw: <= 2026.3.24 (Fixed in:
2026.3.25)
Code Analysis
Commit: d3d8e31
Fix silent scope upgrade bypass during backend reconnect
Mitigation Strategies
- Audit reverse proxy configurations to drop spoofed local headers
- Implement strict network segmentation around the gateway
- Monitor audit logs for unexpected scope grants
Remediation Steps:
- Identify all OpenClaw gateway instances running version 2026.3.24 or older
- Upgrade the OpenClaw gateway to version 2026.3.25
- Review recent audit logs for signs of unauthorized escalation
References
Read the full report for GHSA-9HJH-FR4F-GXC4 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)