<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Openclaw (&lt; 2026.5.18) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openclaw--2026.5.18/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:17:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openclaw--2026.5.18/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Vulnerability Allows Local Forged Identity Headers</title><link>https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/</link><pubDate>Fri, 03 Jul 2026 12:17:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/</guid><description>A vulnerability (GHSA-rggc-m335-3wvj) in OpenClaw's trusted-proxy deployments allows a local attacker on the same host to forge identity headers, bypassing intended security controls and potentially leading to unauthorized access or privilege escalation if the affected feature is enabled and reachable.</description><content:encoded><![CDATA[<p>A significant security vulnerability, tracked as GHSA-rggc-m335-3wvj, has been identified in OpenClaw's trusted-proxy deployments, specifically impacting versions prior to <code>2026.5.18</code>. This flaw allows a local attacker, operating from the same host where an OpenClaw Gateway instance is running, to forge identity headers. By directly communicating with the proxy-facing Gateway port and presenting these falsified headers, the attacker can effectively bypass the security mechanisms designed for trusted proxies. If the affected feature is active and accessible, this enables the local caller to assume an operator's identity, potentially leading to unauthorized access, configuration changes, or privilege escalation within the OpenClaw environment. This vulnerability is critical for organizations deploying OpenClaw in shared-host or multi-tenant environments where local access by lower-trust processes is possible.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker gains local access to a system hosting an OpenClaw Gateway instance configured for trusted-proxy deployments. This could be via another compromised application or a low-privilege user account.</li>
<li><strong>Discovery</strong>: The attacker probes the local system to identify the specific network port on which the OpenClaw Gateway's proxy-facing service is listening.</li>
<li><strong>Direct Connection</strong>: The attacker establishes a direct network connection from their local process to the discovered OpenClaw Gateway port, bypassing the legitimate trusted proxy infrastructure.</li>
<li><strong>Header Forgery</strong>: The attacker crafts and sends HTTP requests containing forged identity headers, mimicking those that would normally be generated and supplied by a trusted upstream proxy.</li>
<li><strong>Vulnerable Processing</strong>: The affected OpenClaw Gateway instance (versions <code>&lt; 2026.5.18</code>) accepts and processes these forged identity headers from the direct local connection without proper validation.</li>
<li><strong>Identity Assumption</strong>: The Gateway attributes the operator identity specified in the forged headers to the local attacker's process.</li>
<li><strong>Privilege Escalation / Unauthorized Actions</strong>: The attacker, now operating with the assumed operator identity, performs unauthorized actions such as modifying configurations, accessing sensitive data, or escalating privileges within the OpenClaw system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this vulnerability can lead to significant security breaches. If an attacker can successfully forge identity headers, they can impersonate an authorized operator within the OpenClaw environment. The practical impact is highly dependent on the privileges associated with the impersonated operator and the specific configurations of the OpenClaw Gateway. This could result in unauthorized configuration changes, data manipulation or exfiltration, or complete administrative control over the OpenClaw instance. Organizations with shared hosting environments or those running multiple applications on the same server as OpenClaw are particularly at risk, as any compromised local process could leverage this flaw.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Immediately</strong>: Upgrade all OpenClaw Gateway instances to version <code>2026.5.18</code> or newer to remediate the vulnerability described in GHSA-rggc-m335-3wvj.</li>
<li><strong>Network Segmentation</strong>: Implement network controls to bind the trusted-proxy ingress behind the actual trusted proxy and firewall direct same-host access to the Gateway port, as mentioned in the GHSA-rggc-m335-3wvj mitigations.</li>
<li><strong>Feature Disablement</strong>: Disable the affected trusted-proxy feature if it is not explicitly required for your operational workflow to reduce the attack surface.</li>
<li><strong>Access Control</strong>: Ensure that lower-trust applications or users on the same host cannot reach the OpenClaw Gateway's proxy-facing port, following the hardening advice from GHSA-rggc-m335-3wvj.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>proxy</category><category>privilege-escalation</category><category>defense-evasion</category><category>npm</category><category>server</category></item><item><title>OpenClaw Scoped Chat Route Inheritance Could Bypass Admin Command Scope Gates</title><link>https://feed.craftedsignal.io/briefs/2026-07-openclaw-scope-bypass/</link><pubDate>Fri, 03 Jul 2026 12:14:04 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openclaw-scope-bypass/</guid><description>A vulnerability in OpenClaw allows an attacker with `operator.write` privileges to bypass intended administrative command scope gates by delivering a scoped Gateway `chat.send` request through an inherited external route, leading to unauthorized execution of critical administrative commands.</description><content:encoded><![CDATA[<p>A high-severity vulnerability has been identified in OpenClaw that enables privilege escalation for certain scoped Gateway clients. Specifically, a <code>chat.send</code> request, when delivered through an inherited external route, can be incorrectly evaluated as an external-channel command while retaining the lower Gateway client scopes. This flaw affects OpenClaw deployments where a scoped Gateway caller with <code>operator.write</code> permissions can send commands into sessions utilizing external delivery routes. This bypasses security checks that typically require higher <code>operator.approvals</code> or <code>operator.admin</code> scopes for critical administrative functions. The vulnerability impacts versions prior to <code>2026.5.18</code> and allows for unauthorized execution of plugin, config, MCP, allowlist, and ACP mutations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains or leverages existing <code>operator.write</code> privileges within a scoped Gateway client in an OpenClaw deployment.</li>
<li>The attacker crafts a malicious <code>chat.send</code> request targeting administrative functions (e.g., plugin, config, MCP, allowlist, or ACP mutations).</li>
<li>The crafted <code>chat.send</code> request is intentionally delivered into a session that possesses an inherited external delivery route.</li>
<li>The OpenClaw system evaluates this specific request path as an external-channel command, despite originating from a scoped Gateway client.</li>
<li>During this evaluation, the request erroneously retains the lower <code>operator.write</code> client scopes, rather than requiring the higher <code>operator.approvals</code> or <code>operator.admin</code> scopes mandated for the targeted administrative commands.</li>
<li>The administrative command is executed with insufficient privileges, bypassing the intended security scope gates and achieving privilege escalation within the OpenClaw environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this vulnerability allows an attacker with only <code>operator.write</code> permissions to execute commands that should explicitly require higher <code>operator.approvals</code> or <code>operator.admin</code> scopes. This includes critical administrative commands related to plugin management, configuration changes, Message Control Protocol (MCP) modifications, allowlist adjustments, and Access Control Policy (ACP) mutations. Such unauthorized execution can lead to severe system compromise, data manipulation, unauthorized access, and potentially full control over the OpenClaw instance, undermining the integrity and security posture of the platform.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all OpenClaw instances to version <code>openclaw@2026.5.18</code> or later immediately to patch the vulnerability.</li>
<li>Review and restrict <code>operator.write</code> token grants: Avoid granting <code>operator.write</code> tokens to clients that can deliver commands into sessions with external routes unless those clients are explicitly trusted with admin-like command effects.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>privilege-escalation</category><category>openclaw</category><category>application-security</category></item><item><title>OpenClaw Trusted-proxy Control UI Privilege Escalation (GHSA-qjpc-qf9m-xwmr)</title><link>https://feed.craftedsignal.io/briefs/2026-07-openclaw-privesc/</link><pubDate>Fri, 03 Jul 2026 12:03:27 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openclaw-privesc/</guid><description>A vulnerability in OpenClaw's trusted-proxy Control UI mode allows an unpaired or restricted trusted-proxy client to gain temporary `operator.admin` authority by declaring elevated WebSocket scopes before proper server-side authorization, enabling the execution of admin-gated Gateway RPCs until the connection is closed or revalidated.</description><content:encoded><![CDATA[<p>A significant vulnerability has been identified in OpenClaw's trusted-proxy Control UI, designated GHSA-qjpc-qf9m-xwmr. This flaw permits an attacker to bypass authorization mechanisms by declaring elevated operator scopes via a WebSocket connection, even if their device identity is unpaired or restricted. Specifically, the system accepts these client-declared scopes before validating them against a server-approved pairing or trusted-proxy authorization baseline. This can lead to a temporary privilege escalation, granting <code>operator.admin</code> authority which allows the execution of administrative Gateway RPCs. The issue affects OpenClaw deployments configured with <code>gateway.auth.mode: &quot;trusted-proxy&quot;</code> and impacts versions prior to <code>2026.5.18</code>. Defenders must prioritize upgrading to the patched version to prevent unauthorized access and potential system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains or establishes a connection to a trusted-proxy Control UI client with either an unpaired device identity or a restricted trusted-proxy user account.</li>
<li>The attacker opens a WebSocket connection to the OpenClaw gateway using this client.</li>
<li>During the WebSocket handshake or early communication, the attacker's client declares elevated operator scopes, such as <code>operator.admin</code>, for its session.</li>
<li>The OpenClaw gateway, due to the vulnerability, accepts these client-declared scopes without immediately verifying them against the pre-established trusted-proxy authorization policy or a server-approved pairing.</li>
<li>The attacker temporarily obtains cached <code>operator.admin</code> authority on their live WebSocket connection, despite their actual authorization level.</li>
<li>Using this elevated authority, the attacker executes admin-gated Gateway RPCs, potentially performing unauthorized administrative actions.</li>
<li>The administrative authority persists until the WebSocket connection is closed or the gateway performs a revalidation of the client's scopes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can lead to unauthorized administrative control over the OpenClaw gateway. An attacker exploiting this flaw could execute any <code>operator.admin</code>-gated RPCs, potentially leading to configuration changes, data manipulation, or denial of service within the affected system. While the authority is temporary (lasting until the connection closes or revalidates), it provides a window for attackers to cause significant damage. The vulnerability specifically targets deployments utilizing <code>gateway.auth.mode: &quot;trusted-proxy&quot;</code>, making environments relying on this mode susceptible to privilege escalation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all OpenClaw installations to version <code>openclaw@2026.5.18</code> or later to patch the vulnerability as stated in the source.</li>
<li>Before upgrading, restrict trusted-proxy Control UI access to only those users who are genuinely authorized for the scopes they are permitted to request.</li>
<li>Restart the OpenClaw gateway after implementing any changes to the trusted-proxy authorization policy to ensure the new policies are active.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>privilege-escalation</category><category>websocket</category><category>npm</category></item></channel></rss>