{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/allowlist/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["openclaw","privilege-escalation","allowlist"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions 2026.3.23 and earlier contain a privilege escalation vulnerability that allows an attacker with \u003ccode\u003eoperator.write\u003c/code\u003e scope to modify channel authorization policies that should be restricted to \u003ccode\u003eoperator.admin\u003c/code\u003e scope. This occurs due to a missing sink-side check on the \u003ccode\u003e/allowlist\u003c/code\u003e command when called internally through the \u003ccode\u003echat.send\u003c/code\u003e function. A malicious actor can leverage this vulnerability to widen DM or group allowlists for channels, bypassing intended authorization controls. The vulnerability was patched in OpenClaw version 2026.3.24, which is the current shipping release. This bypass weakens the documented control-plane privilege split between write actions and admin-only persistent authorization mutation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the OpenClaw gateway with \u003ccode\u003eoperator.write\u003c/code\u003e scope.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a message via the \u003ccode\u003echat.send\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003echat.send\u003c/code\u003e builds an internal message context with \u003ccode\u003eCommandAuthorized: true\u003c/code\u003e and includes \u003ccode\u003eGatewayClientScopes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eresolveCommandAuthorization(...)\u003c/code\u003e translates this into \u003ccode\u003eisAuthorizedSender=true\u003c/code\u003e because no stricter override is present.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/allowlist add|remove\u003c/code\u003e command within the \u003ccode\u003echat.send\u003c/code\u003e message content.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/allowlist\u003c/code\u003e handler clones the parsed config and calls \u003ccode\u003eplugin.allowlist.applyConfigEdit(...)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe handler validates the result and attempts to persist it with \u003ccode\u003ewriteConfigFile(validated.config)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eoperator.admin\u003c/code\u003e check before the write occurs, the configuration is updated, widening the DM or group allowlists for the targeted channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA gateway client limited to \u003ccode\u003eoperator.write\u003c/code\u003e can persist first-party channel authorization policy, which should require \u003ccode\u003eoperator.admin\u003c/code\u003e. This allows the attacker to widen DM or group allowlists for channels using the \u003ccode\u003e/allowlist\u003c/code\u003e functionality. Successfully exploiting this vulnerability weakens the security posture of the OpenClaw gateway by undermining the intended access control mechanisms. Attackers can potentially read private communications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to patch the vulnerability (reference: GitHub advisory).\u003c/li\u003e\n\u003cli\u003eMonitor gateway logs for the use of \u003ccode\u003e/allowlist add\u003c/code\u003e or \u003ccode\u003e/allowlist remove\u003c/code\u003e commands originating from \u003ccode\u003eoperator.write\u003c/code\u003e-scoped clients (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003echat.send\u003c/code\u003e API to mitigate potential abuse (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-17T18:00:00Z","date_published":"2024-01-17T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-17-openclaw-privilege-escalation/","summary":"A vulnerability in OpenClaw versions 2026.3.23 and earlier allows a gateway client with `operator.write` scope to bypass intended privilege separation and persist channel authorization policy.","title":"OpenClaw Unauthorized Channel Allowlist Modification via chat.send","url":"https://feed.craftedsignal.io/briefs/2024-01-17-openclaw-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed - Allowlist","version":"https://jsonfeed.org/version/1.1"}