<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Allowlist - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/allowlist/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 17 Jan 2024 18:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/allowlist/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Unauthorized Channel Allowlist Modification via chat.send</title><link>https://feed.craftedsignal.io/briefs/2024-01-17-openclaw-privilege-escalation/</link><pubDate>Wed, 17 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-17-openclaw-privilege-escalation/</guid><description>A vulnerability in OpenClaw versions 2026.3.23 and earlier allows a gateway client with `operator.write` scope to bypass intended privilege separation and persist channel authorization policy.</description><content:encoded><![CDATA[<p>OpenClaw versions 2026.3.23 and earlier contain a privilege escalation vulnerability that allows an attacker with <code>operator.write</code> scope to modify channel authorization policies that should be restricted to <code>operator.admin</code> scope. This occurs due to a missing sink-side check on the <code>/allowlist</code> command when called internally through the <code>chat.send</code> function. A malicious actor can leverage this vulnerability to widen DM or group allowlists for channels, bypassing intended authorization controls. The vulnerability was patched in OpenClaw version 2026.3.24, which is the current shipping release. This bypass weakens the documented control-plane privilege split between write actions and admin-only persistent authorization mutation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the OpenClaw gateway with <code>operator.write</code> scope.</li>
<li>The attacker sends a message via the <code>chat.send</code> API.</li>
<li><code>chat.send</code> builds an internal message context with <code>CommandAuthorized: true</code> and includes <code>GatewayClientScopes</code>.</li>
<li><code>resolveCommandAuthorization(...)</code> translates this into <code>isAuthorizedSender=true</code> because no stricter override is present.</li>
<li>The attacker uses the <code>/allowlist add|remove</code> command within the <code>chat.send</code> message content.</li>
<li>The <code>/allowlist</code> handler clones the parsed config and calls <code>plugin.allowlist.applyConfigEdit(...)</code>.</li>
<li>The handler validates the result and attempts to persist it with <code>writeConfigFile(validated.config)</code>.</li>
<li>Due to the missing <code>operator.admin</code> check before the write occurs, the configuration is updated, widening the DM or group allowlists for the targeted channel.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A gateway client limited to <code>operator.write</code> can persist first-party channel authorization policy, which should require <code>operator.admin</code>. This allows the attacker to widen DM or group allowlists for channels using the <code>/allowlist</code> functionality. Successfully exploiting this vulnerability weakens the security posture of the OpenClaw gateway by undermining the intended access control mechanisms. Attackers can potentially read private communications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenClaw to version 2026.3.24 or later to patch the vulnerability (reference: GitHub advisory).</li>
<li>Monitor gateway logs for the use of <code>/allowlist add</code> or <code>/allowlist remove</code> commands originating from <code>operator.write</code>-scoped clients (reference: Attack Chain).</li>
<li>Implement rate limiting on the <code>chat.send</code> API to mitigate potential abuse (reference: Attack Chain).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openclaw</category><category>privilege-escalation</category><category>allowlist</category></item></channel></rss>