DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FQW4-MPH7-2VR8: GHSA-FQW4-MPH7-2VR8: OpenClaw Gateway Silent Privilege Escalation via Shared-Auth Reconnect

#security #cve #cybersecurity #ghsa

GHSA-FQW4-MPH7-2VR8: OpenClaw Gateway Silent Privilege Escalation via Shared-Auth Reconnect

Vulnerability ID: GHSA-FQW4-MPH7-2VR8
CVSS Score: 9.8
Published: 2026-03-27

The OpenClaw Gateway Server contains a critical privilege escalation vulnerability in its WebSocket reconnection logic. Devices authenticating via the shared-auth mechanism can silently upgrade restricted permissions to administrative access without user interaction, leading to arbitrary remote code execution on the host node.

TL;DR

A flaw in OpenClaw's shared-auth reconnection logic allows local or trusted devices with limited access to silently escalate to administrative privileges, resulting in host RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-269
  • Attack Vector: Local Network / Localhost
  • Attack Complexity: Low
  • Privileges Required: Low (existing device identity)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • OpenClaw Gateway Server
  • OpenClaw: < 2026-03-25 (Fixed in: Commit 81ebc7e0344fd19c85778e883bad45e2da972229)

Code Analysis

Commit: 81ebc7e

Fix silent scope upgrade logic in gateway WebSocket reconnection

Mitigation Strategies

  • Update OpenClaw to the latest patched version containing commit 81ebc7e0344fd19c85778e883bad45e2da972229.
  • Audit the list of paired devices in the gateway and revoke unauthorized operator.admin scopes.
  • Rotate the OPENCLAW_SECRET environment variable to invalidate existing shared-auth tokens.
  • Isolate the OpenClaw gateway from untrusted networks and restrict physical/local access.

Remediation Steps:

  1. Pull the latest OpenClaw repository or Docker image containing the fix.
  2. Restart the OpenClaw gateway service to apply the update.
  3. Generate a new cryptographic string for OPENCLAW_SECRET.
  4. Update the secret in the gateway environment variables and distribute it only to trusted components.
  5. Navigate to the OpenClaw management interface and remove unrecognized paired device identities.

References

Read the full report for GHSA-FQW4-MPH7-2VR8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)