{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/config-mutation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw"],"_cs_severities":["high"],"_cs_tags":["config-mutation","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.4.23 contain a vulnerability where a compromised model, granted access to the owner-only \u003ccode\u003egateway\u003c/code\u003e tool, can exploit an insufficient denylist used to protect configuration settings. This denylist, intended as a model-to-operator trust boundary, failed to keep pace with the evolving config schema. This allowed sensitive subtrees to be writable through model-driven gateway config mutations. The vulnerability was addressed in version 2026.4.23 by replacing the denylist with a more secure fail-closed allowlist, restricting agent-driven configuration changes. The vulnerable entry point is owner-only, emphasizing the importance of securing the model/agent interface, which should not be considered a trusted principal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a model with access to the \u003ccode\u003egateway\u003c/code\u003e tool, potentially through prompt injection or other compromise techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious configuration payload designed to exploit the incomplete denylist.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003egateway config.apply\u003c/code\u003e or \u003ccode\u003egateway config.patch\u003c/code\u003e command to submit the crafted configuration.\u003c/li\u003e\n\u003cli\u003eThe compromised model interacts with the \u003ccode\u003egateway\u003c/code\u003e tool to apply the malicious configuration changes, bypassing the insufficient denylist.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration changes are written to the OpenClaw configuration files.\u003c/li\u003e\n\u003cli\u003eThe configuration changes persist even after OpenClaw restarts.\u003c/li\u003e\n\u003cli\u003eThese persisted changes allow the attacker to manipulate command execution, network behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent control over OpenClaw\u0026rsquo;s behavior, potentially leading to data exfiltration, service disruption, or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to persist unsafe configuration changes within OpenClaw. These changes can affect critical system functions, including command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. The changes survive restarts, granting the attacker persistent control. While the specific number of affected installations is unknown, any OpenClaw instance running a version prior to 2026.4.23 is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.23 or later to incorporate the fix that replaces the denylist with a fail-closed allowlist.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for any data passed to the \u003ccode\u003egateway\u003c/code\u003e tool to prevent prompt injection attacks, addressing the vulnerability described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor the execution of \u003ccode\u003egateway config.apply\u003c/code\u003e and \u003ccode\u003egateway config.patch\u003c/code\u003e commands for unexpected arguments or payloads that may indicate exploitation attempts, creating a detection opportunity based on observed command execution.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring on OpenClaw configuration files to detect unauthorized modifications, providing an alert mechanism if malicious changes persist on disk.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T18:44:31Z","date_published":"2026-05-05T18:44:31Z","id":"/briefs/2026-05-openclaw-config-mutation/","summary":"A vulnerability in OpenClaw versions before 2026.4.23 allows a compromised model with access to the `gateway` tool to persist unsafe config changes that cross security boundaries due to an insufficient denylist.","title":"OpenClaw Gateway Configuration Mutation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-config-mutation/"}],"language":"en","title":"CraftedSignal Threat Feed — Config-Mutation","version":"https://jsonfeed.org/version/1.1"}