OpenClaw Unauthorized Channel Allowlist Modification via chat.send
A vulnerability in OpenClaw versions 2026.3.23 and earlier allows a gateway client with `operator.write` scope to bypass intended privilege separation and persist channel authorization policy.
OpenClaw versions 2026.3.23 and earlier contain a privilege escalation vulnerability that allows an attacker with operator.write scope to modify channel authorization policies that should be restricted to operator.admin scope. This occurs due to a missing sink-side check on the /allowlist command when called internally through the chat.send function. A malicious actor can leverage this vulnerability to widen DM or group allowlists for channels, bypassing intended authorization controls. The vulnerability was patched in OpenClaw version 2026.3.24, which is the current shipping release. This bypass weakens the documented control-plane privilege split between write actions and admin-only persistent authorization mutation.
Attack Chain
- An attacker authenticates to the OpenClaw gateway with
operator.writescope. - The attacker sends a message via the
chat.sendAPI. chat.sendbuilds an internal message context withCommandAuthorized: trueand includesGatewayClientScopes.resolveCommandAuthorization(...)translates this intoisAuthorizedSender=truebecause no stricter override is present.- The attacker uses the
/allowlist add|removecommand within thechat.sendmessage content. - The
/allowlisthandler clones the parsed config and callsplugin.allowlist.applyConfigEdit(...). - The handler validates the result and attempts to persist it with
writeConfigFile(validated.config). - Due to the missing
operator.admincheck before the write occurs, the configuration is updated, widening the DM or group allowlists for the targeted channel.
Impact
A gateway client limited to operator.write can persist first-party channel authorization policy, which should require operator.admin. This allows the attacker to widen DM or group allowlists for channels using the /allowlist functionality. Successfully exploiting this vulnerability weakens the security posture of the OpenClaw gateway by undermining the intended access control mechanisms. Attackers can potentially read private communications.
Recommendation
- Upgrade OpenClaw to version 2026.3.24 or later to patch the vulnerability (reference: GitHub advisory).
- Monitor gateway logs for the use of
/allowlist addor/allowlist removecommands originating fromoperator.write-scoped clients (reference: Attack Chain). - Implement rate limiting on the
chat.sendAPI to mitigate potential abuse (reference: Attack Chain).
Detection coverage 2
OpenClaw Allowlist Modification via chat.send
highDetects the use of /allowlist commands within chat.send from operator.write clients, indicating a potential privilege escalation attempt.
OpenClaw Unauthorized Config File Write
mediumDetects writes to the OpenClaw config file performed without operator.admin privileges, possibly indicating an exploitation attempt of the allowlist vulnerability.
Detection queries are available on the platform. Get full rules →