{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openclaw--2026.5.18/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (\u003c 2026.5.18)","npm/openclaw (\u003c 2026.5.18)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","proxy","privilege-escalation","defense-evasion","npm","server"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA significant security vulnerability, tracked as GHSA-rggc-m335-3wvj, has been identified in OpenClaw's trusted-proxy deployments, specifically impacting versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e. This flaw allows a local attacker, operating from the same host where an OpenClaw Gateway instance is running, to forge identity headers. By directly communicating with the proxy-facing Gateway port and presenting these falsified headers, the attacker can effectively bypass the security mechanisms designed for trusted proxies. If the affected feature is active and accessible, this enables the local caller to assume an operator's identity, potentially leading to unauthorized access, configuration changes, or privilege escalation within the OpenClaw environment. This vulnerability is critical for organizations deploying OpenClaw in shared-host or multi-tenant environments where local access by lower-trust processes is possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker gains local access to a system hosting an OpenClaw Gateway instance configured for trusted-proxy deployments. This could be via another compromised application or a low-privilege user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery\u003c/strong\u003e: The attacker probes the local system to identify the specific network port on which the OpenClaw Gateway's proxy-facing service is listening.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDirect Connection\u003c/strong\u003e: The attacker establishes a direct network connection from their local process to the discovered OpenClaw Gateway port, bypassing the legitimate trusted proxy infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHeader Forgery\u003c/strong\u003e: The attacker crafts and sends HTTP requests containing forged identity headers, mimicking those that would normally be generated and supplied by a trusted upstream proxy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Processing\u003c/strong\u003e: The affected OpenClaw Gateway instance (versions \u003ccode\u003e\u0026lt; 2026.5.18\u003c/code\u003e) accepts and processes these forged identity headers from the direct local connection without proper validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentity Assumption\u003c/strong\u003e: The Gateway attributes the operator identity specified in the forged headers to the local attacker's process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation / Unauthorized Actions\u003c/strong\u003e: The attacker, now operating with the assumed operator identity, performs unauthorized actions such as modifying configurations, accessing sensitive data, or escalating privileges within the OpenClaw system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability can lead to significant security breaches. If an attacker can successfully forge identity headers, they can impersonate an authorized operator within the OpenClaw environment. The practical impact is highly dependent on the privileges associated with the impersonated operator and the specific configurations of the OpenClaw Gateway. This could result in unauthorized configuration changes, data manipulation or exfiltration, or complete administrative control over the OpenClaw instance. Organizations with shared hosting environments or those running multiple applications on the same server as OpenClaw are particularly at risk, as any compromised local process could leverage this flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Upgrade all OpenClaw Gateway instances to version \u003ccode\u003e2026.5.18\u003c/code\u003e or newer to remediate the vulnerability described in GHSA-rggc-m335-3wvj.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Segmentation\u003c/strong\u003e: Implement network controls to bind the trusted-proxy ingress behind the actual trusted proxy and firewall direct same-host access to the Gateway port, as mentioned in the GHSA-rggc-m335-3wvj mitigations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFeature Disablement\u003c/strong\u003e: Disable the affected trusted-proxy feature if it is not explicitly required for your operational workflow to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Control\u003c/strong\u003e: Ensure that lower-trust applications or users on the same host cannot reach the OpenClaw Gateway's proxy-facing port, following the hardening advice from GHSA-rggc-m335-3wvj.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:17:46Z","date_published":"2026-07-03T12:17:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/","summary":"A vulnerability (GHSA-rggc-m335-3wvj) in OpenClaw's trusted-proxy deployments allows a local attacker on the same host to forge identity headers, bypassing intended security controls and potentially leading to unauthorized access or privilege escalation if the affected feature is enabled and reachable.","title":"OpenClaw Vulnerability Allows Local Forged Identity Headers","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openclaw (\u003c 2026.5.18)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","openclaw","application-security"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA high-severity vulnerability has been identified in OpenClaw that enables privilege escalation for certain scoped Gateway clients. Specifically, a \u003ccode\u003echat.send\u003c/code\u003e request, when delivered through an inherited external route, can be incorrectly evaluated as an external-channel command while retaining the lower Gateway client scopes. This flaw affects OpenClaw deployments where a scoped Gateway caller with \u003ccode\u003eoperator.write\u003c/code\u003e permissions can send commands into sessions utilizing external delivery routes. This bypasses security checks that typically require higher \u003ccode\u003eoperator.approvals\u003c/code\u003e or \u003ccode\u003eoperator.admin\u003c/code\u003e scopes for critical administrative functions. The vulnerability impacts versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e and allows for unauthorized execution of plugin, config, MCP, allowlist, and ACP mutations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains or leverages existing \u003ccode\u003eoperator.write\u003c/code\u003e privileges within a scoped Gateway client in an OpenClaw deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003echat.send\u003c/code\u003e request targeting administrative functions (e.g., plugin, config, MCP, allowlist, or ACP mutations).\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003echat.send\u003c/code\u003e request is intentionally delivered into a session that possesses an inherited external delivery route.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw system evaluates this specific request path as an external-channel command, despite originating from a scoped Gateway client.\u003c/li\u003e\n\u003cli\u003eDuring this evaluation, the request erroneously retains the lower \u003ccode\u003eoperator.write\u003c/code\u003e client scopes, rather than requiring the higher \u003ccode\u003eoperator.approvals\u003c/code\u003e or \u003ccode\u003eoperator.admin\u003c/code\u003e scopes mandated for the targeted administrative commands.\u003c/li\u003e\n\u003cli\u003eThe administrative command is executed with insufficient privileges, bypassing the intended security scope gates and achieving privilege escalation within the OpenClaw environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability allows an attacker with only \u003ccode\u003eoperator.write\u003c/code\u003e permissions to execute commands that should explicitly require higher \u003ccode\u003eoperator.approvals\u003c/code\u003e or \u003ccode\u003eoperator.admin\u003c/code\u003e scopes. This includes critical administrative commands related to plugin management, configuration changes, Message Control Protocol (MCP) modifications, allowlist adjustments, and Access Control Policy (ACP) mutations. Such unauthorized execution can lead to severe system compromise, data manipulation, unauthorized access, and potentially full control over the OpenClaw instance, undermining the integrity and security posture of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenClaw instances to version \u003ccode\u003eopenclaw@2026.5.18\u003c/code\u003e or later immediately to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and restrict \u003ccode\u003eoperator.write\u003c/code\u003e token grants: Avoid granting \u003ccode\u003eoperator.write\u003c/code\u003e tokens to clients that can deliver commands into sessions with external routes unless those clients are explicitly trusted with admin-like command effects.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:14:04Z","date_published":"2026-07-03T12:14:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-scope-bypass/","summary":"A vulnerability in OpenClaw allows an attacker with `operator.write` privileges to bypass intended administrative command scope gates by delivering a scoped Gateway `chat.send` request through an inherited external route, leading to unauthorized execution of critical administrative commands.","title":"OpenClaw Scoped Chat Route Inheritance Could Bypass Admin Command Scope Gates","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-scope-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (\u003c 2026.5.18)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","websocket","npm"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA significant vulnerability has been identified in OpenClaw's trusted-proxy Control UI, designated GHSA-qjpc-qf9m-xwmr. This flaw permits an attacker to bypass authorization mechanisms by declaring elevated operator scopes via a WebSocket connection, even if their device identity is unpaired or restricted. Specifically, the system accepts these client-declared scopes before validating them against a server-approved pairing or trusted-proxy authorization baseline. This can lead to a temporary privilege escalation, granting \u003ccode\u003eoperator.admin\u003c/code\u003e authority which allows the execution of administrative Gateway RPCs. The issue affects OpenClaw deployments configured with \u003ccode\u003egateway.auth.mode: \u0026quot;trusted-proxy\u0026quot;\u003c/code\u003e and impacts versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e. Defenders must prioritize upgrading to the patched version to prevent unauthorized access and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains or establishes a connection to a trusted-proxy Control UI client with either an unpaired device identity or a restricted trusted-proxy user account.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a WebSocket connection to the OpenClaw gateway using this client.\u003c/li\u003e\n\u003cli\u003eDuring the WebSocket handshake or early communication, the attacker's client declares elevated operator scopes, such as \u003ccode\u003eoperator.admin\u003c/code\u003e, for its session.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw gateway, due to the vulnerability, accepts these client-declared scopes without immediately verifying them against the pre-established trusted-proxy authorization policy or a server-approved pairing.\u003c/li\u003e\n\u003cli\u003eThe attacker temporarily obtains cached \u003ccode\u003eoperator.admin\u003c/code\u003e authority on their live WebSocket connection, despite their actual authorization level.\u003c/li\u003e\n\u003cli\u003eUsing this elevated authority, the attacker executes admin-gated Gateway RPCs, potentially performing unauthorized administrative actions.\u003c/li\u003e\n\u003cli\u003eThe administrative authority persists until the WebSocket connection is closed or the gateway performs a revalidation of the client's scopes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to unauthorized administrative control over the OpenClaw gateway. An attacker exploiting this flaw could execute any \u003ccode\u003eoperator.admin\u003c/code\u003e-gated RPCs, potentially leading to configuration changes, data manipulation, or denial of service within the affected system. While the authority is temporary (lasting until the connection closes or revalidates), it provides a window for attackers to cause significant damage. The vulnerability specifically targets deployments utilizing \u003ccode\u003egateway.auth.mode: \u0026quot;trusted-proxy\u0026quot;\u003c/code\u003e, making environments relying on this mode susceptible to privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenClaw installations to version \u003ccode\u003eopenclaw@2026.5.18\u003c/code\u003e or later to patch the vulnerability as stated in the source.\u003c/li\u003e\n\u003cli\u003eBefore upgrading, restrict trusted-proxy Control UI access to only those users who are genuinely authorized for the scopes they are permitted to request.\u003c/li\u003e\n\u003cli\u003eRestart the OpenClaw gateway after implementing any changes to the trusted-proxy authorization policy to ensure the new policies are active.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:03:27Z","date_published":"2026-07-03T12:03:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-privesc/","summary":"A vulnerability in OpenClaw's trusted-proxy Control UI mode allows an unpaired or restricted trusted-proxy client to gain temporary `operator.admin` authority by declaring elevated WebSocket scopes before proper server-side authorization, enabling the execution of admin-gated Gateway RPCs until the connection is closed or revalidated.","title":"OpenClaw Trusted-proxy Control UI Privilege Escalation (GHSA-qjpc-qf9m-xwmr)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Openclaw (\u003c 2026.5.18)","version":"https://jsonfeed.org/version/1.1"}