DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F6H3-846H-2R8W: GHSA-f6h3-846h-2r8w: Authorization Bypass in OpenClaw via Improper Recipient Validation

#security #cve #cybersecurity #ghsa

GHSA-f6h3-846h-2r8w: Authorization Bypass in OpenClaw via Improper Recipient Validation

Vulnerability ID: GHSA-F6H3-846H-2R8W
CVSS Score: 9.8
Published: 2026-03-04

OpenClaw (formerly Clawdbot) contains a critical authorization bypass vulnerability in its elevated permissions module. The vulnerability arises from an overly permissive validation logic in the isApprovedElevatedSender function, which incorrectly includes the message recipient's identifier (the bot itself) in the authorization check. If an administrator includes the bot's own identity in the tools.elevated.allowFrom configuration—a common configuration pattern for self-testing—any unauthenticated remote user can execute commands with elevated privileges by simply sending a message to the bot.

TL;DR

A logic flaw in OpenClaw's authorization system allows attackers to bypass access controls for elevated commands. By sending a message to a bot that has its own ID whitelisted, the system validates the request based on the recipient's identity rather than the sender's, granting full administrative access to unauthorized users.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-285: Improper Authorization
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (Remote)
  • Privileges Required: None
  • User Interaction: None
  • Patch Status: Released (2026-02-22)

Affected Systems

  • OpenClaw (formerly Clawdbot/Moltbot)
  • OpenClaw: < 2026.3.2 (Fixed in: 2026.3.2)

Code Analysis

Commit: 6817c0e

Fix elevated sender authorization logic to exclude recipient tokens and enforce identity prefixes

Mitigation Strategies

  • Software Update
  • Configuration Audit
  • Principle of Least Privilege

Remediation Steps:

  1. Update OpenClaw: Upgrade immediately to the latest version (post-February 22, 2026) which includes the fix from commit 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2.
  2. Audit Configuration: Inspect the tools.elevated.allowFrom section of your config.json file.
  3. Remove Self-References: Ensure the bot's own identifier (phone number, bot ID, handle) is NOT present in the allowlist.
  4. Enforce Prefixes: Convert all existing allowlist entries to use strict prefixes. Change plain IDs to id:<number> or username:<name> to prevent ambiguity. Prefer id: (immutable) over name: (mutable/spoofable).

References

Read the full report for GHSA-F6H3-846H-2R8W on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)