DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RQPP-RJJ8-7WV8: GHSA-RQPP-RJJ8-7WV8: Privilege Escalation via Logic Flaw in OpenClaw WebSocket Authentication

#security #cve #cybersecurity #ghsa

GHSA-RQPP-RJJ8-7WV8: Privilege Escalation via Logic Flaw in OpenClaw WebSocket Authentication

Vulnerability ID: GHSA-RQPP-RJJ8-7WV8
CVSS Score: 9.9
Published: 2026-03-13

A critical logic flaw in the OpenClaw gateway's WebSocket authentication mechanism allows remote attackers authenticated via shared secrets to arbitrarily elevate their authorization scopes to administrative levels.

TL;DR

OpenClaw versions 2026.3.11 and prior fail to strip client-declared scopes during WebSocket handshakes for shared-token connections, permitting low-privilege users to obtain 'operator.admin' access.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-269, CWE-862
  • Attack Vector: Network
  • CVSS Base Score: 9.9
  • Impact: Administrative Privilege Escalation
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • OpenClaw Gateway WebSocket Endpoint
  • openclaw npm package
  • openclaw: <= 2026.3.11 (Fixed in: 2026.3.12)

Code Analysis

Commit: 5e389d5

Fix scope stripping logic for device-less connections

Exploit Details

  • Regression Tests: Proof of Concept demonstrating WebSocket connection with self-declared scopes and RPC execution.

Mitigation Strategies

  • Upgrade the openclaw package to version 2026.3.12 or higher.
  • Restrict network access to the OpenClaw gateway via IP allowlists or VPN requirements.
  • Deprecate the use of shared-token authentication in favor of explicit, device-linked identities.
  • Disable trusted-proxy mode if not strictly required to mitigate the CSWSH attack vector.

Remediation Steps:

  1. Identify all deployments of the openclaw package within the infrastructure.
  2. Update the dependency in package.json to ^2026.3.12.
  3. Execute package manager update commands (e.g., npm install or yarn install) to pull the patched version.
  4. Restart the OpenClaw gateway service to apply the new connection handling logic.
  5. Review WebSocket connection logs for historical indicators of compromise.

References

Read the full report for GHSA-RQPP-RJJ8-7WV8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)