Attack Chain

1. Attacker identifies an instance of OpenClaw running a version prior to 2026.3.22.
2. Attacker crafts a malicious chat command intended to interact with the ACP.
3. The malicious command bypasses the intended operator.admin scope check due to the vulnerability.
4. The crafted command is sent to the OpenClaw application via the chat interface.
5. The vulnerable code in src/auto-reply/reply/commands-acp.ts processes the command without proper authorization.
6. The command execution results in the mutation of internal ACP configurations or data.
7. Attacker leverages the mutated configurations to gain further control over the OpenClaw application or its environment.

Impact

Successful exploitation of this vulnerability could allow an attacker to perform unauthorized administrative actions within the OpenClaw application. This may include modifying application settings, accessing sensitive data, or disrupting services. The severity of the impact depends on the specific ACP commands that are exposed and the attacker’s ability to chain together multiple commands for greater effect.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.22 or later to apply the fix described in the advisory (see Affected Packages / Versions).
• Monitor chat command inputs for unusual syntax or attempts to access administrative functionalities to detect potential exploitation attempts (use network or application logs).
• Review and audit existing OpenClaw configurations for any unauthorized modifications that may have occurred due to this vulnerability.
• Implement input validation and sanitization on all chat command inputs to prevent command injection attacks.
• Deploy the Sigma rule provided to detect attempts to use ACP commands without proper authorization (see “OpenClaw ACP Command Execution Without Admin Scope”).