OpenClaw Scoped Chat Route Inheritance Could Bypass Admin Command Scope Gates
A vulnerability in OpenClaw allows an attacker with `operator.write` privileges to bypass intended administrative command scope gates by delivering a scoped Gateway `chat.send` request through an inherited external route, leading to unauthorized execution of critical administrative commands.
A high-severity vulnerability has been identified in OpenClaw that enables privilege escalation for certain scoped Gateway clients. Specifically, a chat.send request, when delivered through an inherited external route, can be incorrectly evaluated as an external-channel command while retaining the lower Gateway client scopes. This flaw affects OpenClaw deployments where a scoped Gateway caller with operator.write permissions can send commands into sessions utilizing external delivery routes. This bypasses security checks that typically require higher operator.approvals or operator.admin scopes for critical administrative functions. The vulnerability impacts versions prior to 2026.5.18 and allows for unauthorized execution of plugin, config, MCP, allowlist, and ACP mutations.
Attack Chain
- An attacker obtains or leverages existing
operator.writeprivileges within a scoped Gateway client in an OpenClaw deployment. - The attacker crafts a malicious
chat.sendrequest targeting administrative functions (e.g., plugin, config, MCP, allowlist, or ACP mutations). - The crafted
chat.sendrequest is intentionally delivered into a session that possesses an inherited external delivery route. - The OpenClaw system evaluates this specific request path as an external-channel command, despite originating from a scoped Gateway client.
- During this evaluation, the request erroneously retains the lower
operator.writeclient scopes, rather than requiring the higheroperator.approvalsoroperator.adminscopes mandated for the targeted administrative commands. - The administrative command is executed with insufficient privileges, bypassing the intended security scope gates and achieving privilege escalation within the OpenClaw environment.
Impact
The successful exploitation of this vulnerability allows an attacker with only operator.write permissions to execute commands that should explicitly require higher operator.approvals or operator.admin scopes. This includes critical administrative commands related to plugin management, configuration changes, Message Control Protocol (MCP) modifications, allowlist adjustments, and Access Control Policy (ACP) mutations. Such unauthorized execution can lead to severe system compromise, data manipulation, unauthorized access, and potentially full control over the OpenClaw instance, undermining the integrity and security posture of the platform.
Recommendation
- Upgrade all OpenClaw instances to version
openclaw@2026.5.18or later immediately to patch the vulnerability. - Review and restrict
operator.writetoken grants: Avoid grantingoperator.writetokens to clients that can deliver commands into sessions with external routes unless those clients are explicitly trusted with admin-like command effects.