Attack Chain

1. The attacker identifies an OpenClaw instance running a version prior to 2026.4.8.
2. The attacker crafts a malicious URL targeting the QQ Bot media download functionality. This URL contains a payload designed to exploit the SSRF vulnerability.
3. The attacker injects the malicious URL into the QQ Bot’s media download path, bypassing expected SSRF protections.
4. OpenClaw processes the crafted URL without proper validation, initiating a request to an attacker-controlled internal resource.
5. The OpenClaw server makes a request to the specified internal resource, potentially exposing sensitive information or triggering unintended actions.
6. The internal resource responds to the OpenClaw server, and the response is potentially relayed back to the attacker or used to further compromise the system.
7. The attacker gains unauthorized access to internal resources or sensitive data due to the successful SSRF attack.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-41914) can lead to the disclosure of sensitive information from internal systems, potentially affecting all users and services dependent on the compromised OpenClaw instance. The severity is amplified by the potential to bypass existing SSRF protections, increasing the attack surface and difficulty of detection. Impact ranges from information disclosure to potential compromise of other internal services, depending on the specific internal resources accessible from the OpenClaw server.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch the SSRF vulnerability (CVE-2026-41914).
• Deploy the Sigma rule Detect Suspicious OpenClaw SSRF Attempt to identify potential exploitation attempts targeting the vulnerable media download paths.
• Implement strict network segmentation to limit the impact of a successful SSRF attack by restricting access to sensitive internal resources from the OpenClaw server.

Attack Chain

1. The attacker gains access to the OpenClaw configuration.
2. The attacker modifies the remoteWorkspaceDir and/or remoteAgentWorkspaceDir configuration values to point to a target directory they wish to delete.
3. The attacker initiates a mirror sync operation.
4. OpenClaw, using the attacker-controlled path, connects to the remote system.
5. OpenClaw deletes the contents of the directory specified by the modified remoteWorkspaceDir or remoteAgentWorkspaceDir.
6. OpenClaw uploads the contents of the attacker’s local workspace to the now-empty remote directory, effectively replacing the original data.
7. The targeted remote directory now contains the attacker’s data instead of the original contents.
8. The attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.

Impact

Successful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.

Recommendation

• Upgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.
• Monitor OpenClaw configuration files for unauthorized modifications to remoteWorkspaceDir and remoteAgentWorkspaceDir using a file integrity monitoring system.
• Implement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.
• Deploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.

Attack Chain

1. Attacker clones a legitimate OpenClaw workspace.
2. Attacker crafts a malicious plugin designed to exploit the trust boundary vulnerability.
3. The malicious plugin is configured to claim a bundled channel ID that OpenClaw uses for built-in channels.
4. The cloned workspace, including the malicious plugin, is distributed to a target user.
5. The target user opens the cloned workspace in a vulnerable version of OpenClaw (before 2026.4.2).
6. During the workspace loading and channel setup process, OpenClaw incorrectly trusts the malicious plugin due to the claimed channel ID.
7. The malicious plugin executes arbitrary code within the OpenClaw process.
8. The attacker gains control or compromises the user’s OpenClaw session.

Impact

Successful exploitation of CVE-2026-41295 leads to arbitrary code execution within the OpenClaw application. An attacker can leverage this to potentially steal sensitive information, modify workspace data, or escalate privileges on the affected system. The vulnerability impacts all OpenClaw users running versions prior to 2026.4.2 who open a maliciously crafted workspace. The impact is severe, as it allows for immediate code execution without explicit user consent or trust of the malicious plugin.

Recommendation

• Upgrade OpenClaw to version 2026.4.2 or later to patch CVE-2026-41295.
• Monitor for the creation and loading of OpenClaw plugins, specifically those claiming bundled channel IDs, using a process creation rule with a focus on command-line arguments.
• Implement application control policies to restrict the execution of unsigned or untrusted plugins within OpenClaw to mitigate the risk of malicious plugin execution.

Attack Chain

1. An attacker crafts a malicious tool-result that contains a media reference with a file path intended to bypass local-root containment (e.g., a path outside the allowed localRoots).
2. The user interacts with the malicious tool-result within the OpenClaw webchat interface.
3. The webchat media embedding functionality attempts to normalize the media reference.
4. Due to the vulnerability, the crafted file path bypasses the localRoots containment check.
5. The host system attempts to read the file from the specified path (either local or UNC).
6. If successful, the file content is potentially exposed. On Windows, the system might attempt to access a UNC path, potentially exposing network credentials.
7. The webchat media block is prepared with the (potentially exposed) file content.
8. Although the vulnerability is triggered host-side before the user sees the final rendered result, sensitive information could be leaked.

Impact

Successful exploitation of this vulnerability could lead to the disclosure of sensitive files on the host system. On Windows systems, exploitation may result in the exposure of network credentials if a UNC path is accessed. While the severity is medium because exploitation depends on a tool-result media path reaching the webchat embedding path, the sink is a host-side file read before the user sees the rendered result. This impacts OpenClaw installations running versions 2026.4.7 through 2026.4.14.

Recommendation

• Upgrade OpenClaw to version 2026.4.15 or later to patch the vulnerability. The fix hardens the webchat media path and shared media resolver, rejecting remote-host file:// URLs and Windows network paths.
• Deploy the Sigma rule Detect Suspicious OpenClaw UNC Path Access to identify attempts to access UNC paths via OpenClaw.
• Review the code changes in commits 1470de5d3e0970856d86cd99336bb8ada3fe87da, 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde, and 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc to understand the implemented security measures in version 2026.4.15.

Attack Chain

1. An attacker gains control over an environment where the vulnerable openclaw package is utilized.
2. The attacker identifies that the openclaw version is prior to 2026.4.10.
3. The attacker injects a malicious environment variable, such as VIMINIT, EXINIT, LUA_INIT, or HOSTALIASES, into the system’s environment.
4. The openclaw package executes a process that reads and utilizes environment variables without proper sanitization.
5. The injected environment variable overrides the intended behavior of the process. For example, VIMINIT can be used to execute arbitrary vim commands upon startup.
6. This execution leads to arbitrary code execution or modified network behavior, depending on the injected variable. For example, HOSTALIASES can redirect network requests to attacker-controlled servers.
7. The attacker achieves their objective, such as gaining unauthorized access, exfiltrating data, or causing denial of service.
8. The attacker leverages the compromised environment to propagate the attack further.

Impact

The vulnerability allows for arbitrary code execution or network redirection by injecting malicious environment variables. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, or denial-of-service conditions. The specific impact depends on the context in which openclaw is used and the permissions of the user running the affected process. The reported vulnerability has been fixed in openclaw version 2026.4.10 and later.

Recommendation

• Upgrade the openclaw package to version 2026.4.10 or later to remediate the vulnerability, as indicated in the advisory (https://github.com/advisories/GHSA-vfp4-8x56-j7c5).
• Monitor process execution for the presence of environment variables being passed to child processes, focusing on VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Implement the Sigma rule below to detect suspicious process execution involving these variables.
• Implement a system-wide policy to restrict the modification of environment variables by non-administrative users.

Attack Chain

1. An attacker gains unauthorized operator.write privileges within the OpenClaw application, potentially through account compromise or privilege escalation from another vulnerability.
2. The attacker crafts a malicious HTTP request targeting the Gateway agent’s /reset endpoint.
3. The crafted request includes a specific sessionKey belonging to an administrative user.
4. Alternatively, the attacker could send a /new message containing the admin’s sessionKey.
5. Due to the insufficient access control, the Gateway agent processes the request, incorrectly resetting the targeted admin session.
6. The administrative user is forcibly logged out of their session, disrupting their work.
7. The attacker could potentially hijack the reset session depending on implementation details.
8. The attacker could then use their elevated access to perform unauthorized actions, such as modifying critical system configurations or accessing sensitive data.

Impact

Successful exploitation of CVE-2026-35660 allows attackers with operator.write privileges to reset arbitrary admin sessions in OpenClaw. This can lead to denial of service for legitimate administrators, and potentially allow the attacker to hijack the reset session or perform unauthorized actions, leading to data breaches or system compromise, depending on the application’s functionalities and the scope of admin privileges. The severity is rated as high with a CVSS score of 8.1.

Recommendation

• Upgrade OpenClaw to version 2026.3.23 or later to patch CVE-2026-35660.
• Review and enforce strict access control policies for the OpenClaw application, ensuring that operator.write privileges are only granted to trusted users.
• Monitor web server logs for suspicious requests to the /reset endpoint, especially those containing explicit sessionKey parameters and correlate with user roles.
• Deploy the Sigma rule “Detect OpenClaw Session Reset Attempt” to detect exploitation attempts (see below).

Attack Chain

1. An attacker identifies an OpenClaw instance running a version prior to 2026.3.24.
2. The attacker crafts a malicious request containing either a mediaUrl or fileUrl parameter.
3. The crafted URL includes path traversal sequences (e.g., ../) designed to navigate outside the intended sandbox directory.
4. The normalizeSandboxMediaParams function processes the URL but fails to adequately sanitize or normalize the path, due to insufficient validation.
5. The lack of proper mediaLocalRoots context during path resolution further contributes to the bypass.
6. The application attempts to access the file specified by the manipulated URL.
7. Due to the path traversal vulnerability, the application reads a file outside the intended sandbox root, potentially revealing sensitive information like API keys.
8. The attacker retrieves the contents of the targeted file, completing the unauthorized access.

Impact

Successful exploitation of CVE-2026-35668 can lead to the disclosure of sensitive information, including API keys and configuration data, stored within other agents’ workspaces. This unauthorized access can enable attackers to perform lateral movement, escalate privileges, or exfiltrate valuable data. While specific victim counts are unavailable, any OpenClaw deployment running a vulnerable version is at risk. The impact is heightened in environments where OpenClaw agents handle sensitive data or manage critical infrastructure.

Recommendation

• Upgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-35668 and address the underlying path traversal vulnerability.
• Implement input validation and sanitization for all URL parameters, especially those related to file or media access, to prevent path traversal attacks.
• Apply the provided Sigma rule to detect suspicious requests containing path traversal sequences in mediaUrl or fileUrl parameters within web server logs.
• Review and strengthen sandbox configurations to ensure proper isolation between OpenClaw agents and restrict access to sensitive files.

Attack Chain

1. The attacker identifies a vulnerable OpenClaw instance running a version prior to 2026.4.8.
2. The attacker crafts malicious environment variables, such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, or MAKEFLAGS, containing shell commands.
3. The attacker triggers a build process within OpenClaw that utilizes the affected environment variables. This could involve providing a specific input or interacting with OpenClaw in a way that initiates a build operation.
4. Due to the missing denylist, OpenClaw does not sanitize the malicious environment variables.
5. The build tool, influenced by the attacker-controlled environment variables, executes the injected shell commands.
6. The injected commands execute with the privileges of the OpenClaw process.
7. The attacker gains arbitrary code execution on the host system.
8. The attacker can now perform actions such as installing malware, exfiltrating data, or compromising other systems.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the system running OpenClaw. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. Given OpenClaw’s nature as a user-controlled local assistant, the impact is primarily on individual user systems. However, in environments where OpenClaw is deployed more broadly, the vulnerability could be leveraged to compromise multiple machines.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch the vulnerability (see “Affected Packages / Versions”).
• Monitor process creation events for unexpected processes spawned by OpenClaw or its build tool subprocesses (see rules below).
• Implement additional input validation and sanitization measures to prevent environment variable injection in other applications.
• Review and harden build processes to limit the influence of environment variables.

Attack Chain

1. Attacker identifies a vulnerable OpenClaw instance running version 2026.4.2 or earlier.
2. Attacker authenticates to the OpenClaw instance.
3. Attacker crafts a malicious payload intended to be interpreted as a standard “wake” command.
4. Attacker sends a specially crafted /hooks/wake request or a mapped wake payload containing the malicious content.
5. Due to the vulnerability, OpenClaw incorrectly promotes the attacker-controlled payload into the trusted System: prompt channel.
6. The OpenClaw assistant processes the malicious payload within the System: context, granting it elevated privileges within the application’s trust model.
7. The malicious payload executes arbitrary commands or actions within the OpenClaw environment as a trusted system component.
8. The attacker achieves their objective, which could involve data manipulation, unauthorized access to local resources, or other malicious activities within the scope of the OpenClaw assistant.

Impact

This vulnerability allows an attacker to inject malicious commands into the trusted system prompt channel of OpenClaw. Successful exploitation could lead to unauthorized data access, modification, or execution of arbitrary code within the OpenClaw environment. While the advisory does not specify the number of affected users, any instance running OpenClaw version 2026.4.2 or earlier is vulnerable. The primary risk is the compromise of the user’s local assistant and potentially the data it manages.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to remediate the vulnerability (reference: Affected Packages / Versions).
• Monitor OpenClaw logs for suspicious activity related to the /hooks/wake endpoint (develop custom rules based on your OpenClaw logging configuration).
• Deploy the Sigma rule provided in this brief to detect potential exploitation attempts by monitoring process execution following /hooks/wake requests.

Attack Chain

1. The attacker crafts a request to the OpenClaw application, specifying a file path within the allowed sandbox.
2. OpenClaw’s readFile function receives the request and validates that the requested path is within the allowed sandbox.
3. After the path is validated, but before the file is read, the attacker leverages a race condition to modify the file path. This could be achieved by symlink replacement or other file system manipulation techniques.
4. The readFile function now attempts to read the file from the modified path, which could point to a location outside the intended sandbox.
5. The file from the attacker-controlled path is read, bypassing the initial security check.
6. OpenClaw processes the content of the file, potentially executing malicious code or leaking sensitive information, depending on the file’s contents and the application’s handling of it.
7. The attacker successfully escapes the sandbox, gaining unauthorized access to the host system’s resources.

Impact

Successful exploitation of this TOCTOU vulnerability allows an attacker to bypass the intended security restrictions of the OpenClaw sandbox. This can lead to arbitrary code execution on the host system, potentially allowing the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected installations is unknown, all deployments of OpenClaw versions 2026.3.28 or earlier are vulnerable.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch the vulnerability as indicated in the advisory.
• Deploy the provided Sigma rule to detect attempts to exploit this TOCTOU vulnerability by monitoring file access patterns.
• Enable file integrity monitoring (FIM) on critical system files to detect unauthorized modifications that could indicate exploitation attempts.

Attack Chain

1. Attacker identifies an OpenClaw instance running a vulnerable version (<=2026.3.28) using trusted-proxy authentication.
2. Attacker gains initial access with limited privileges, potentially via compromised credentials or another vulnerability.
3. Attacker authenticates via the trusted proxy, declaring a set of operator scopes.
4. Due to the incomplete scope clearing, the attacker’s declared operator scopes are not properly sanitized by the system.
5. The system incorrectly grants the attacker elevated privileges associated with the self-declared operator scopes.
6. Attacker exploits the elevated operator.admin privileges to access restricted resources or functionalities.
7. Attacker performs unauthorized actions, such as data modification, configuration changes, or lateral movement within the system.

Impact

Successful exploitation of this vulnerability allows an attacker to escalate their privileges to operator.admin within the OpenClaw environment. This could lead to unauthorized access to sensitive data, modification of critical system configurations, and potential disruption of services. The impact is especially significant for organizations that rely on OpenClaw for critical operations and have not yet upgraded to the patched version. The attacker could leverage the escalated privileges to perform a wide range of malicious activities, potentially compromising the entire system.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to remediate the vulnerability (Affected Packages / Versions).
• Monitor OpenClaw logs for suspicious activity related to trusted-proxy authentication and privilege escalation (logsource: “webserver”, product: “linux”).
• Implement strict access controls and regularly review user permissions to minimize the impact of potential privilege escalation attacks.
• Deploy the Sigma rule provided below to detect potential exploitation attempts targeting this vulnerability.

Attack Chain

1. A malicious actor crafts or modifies an existing OpenClaw model.
2. The model includes instructions to trigger the appendLocalMediaParentRoots function within the src/media/local-roots.ts file.
3. Due to the self-whitelisting behavior, the function expands the allowed media parent directories, potentially including sensitive system directories.
4. The model leverages the expanded directory access to request the reading of arbitrary files on the host system.
5. The openclaw application processes the model’s file read request without proper validation due to the bypassed whitelisting.
6. Sensitive files, such as configuration files or credential stores, are read by the application.
7. The extracted data, including credentials, are then potentially exfiltrated by the malicious model.
8. The attacker gains unauthorized access to sensitive data or systems.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the host system where the openclaw application is running. This can lead to the exfiltration of sensitive information, including credentials, API keys, or other confidential data. While the exact number of affected installations is unknown, any system running a vulnerable version of the openclaw package (<=2026.3.28) is susceptible. The impact is narrowed because the tool-fs root expansion requires prior configuration.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.31 or later to remediate the vulnerability (reference: Affected Packages / Versions).
• Implement input validation and sanitization to prevent arbitrary file paths from being processed by the appendLocalMediaParentRoots function (reference: src/media/local-roots.ts).
• Deploy the Sigma rule to detect attempts to access sensitive files via the openclaw application (reference: Sigma rule below).
• Review and restrict the tool-fs root expansion configuration to minimize the impact of potential exploitation (reference: Current Maintainer Triage).

Attack Chain

1. An attacker identifies a system using a vulnerable version (<=2026.3.28) of the openclaw npm package.
2. The attacker gains access to the system or its environment configuration.
3. The attacker sets either the PIP_INDEX_URL or UV_INDEX_URL environment variable to point to a malicious Python package index server.
4. The system executes a package installation command (e.g., pip install <package>) through openclaw.
5. openclaw, without proper sanitization, uses the attacker-controlled environment variable when resolving package dependencies.
6. The package manager connects to the malicious index server specified in the PIP_INDEX_URL or UV_INDEX_URL variable.
7. The attacker serves malicious or backdoored Python packages through the rogue index.
8. The system installs the malicious packages, potentially compromising the system with arbitrary code execution.

Impact

Successful exploitation of this vulnerability could lead to the installation of malicious Python packages on systems utilizing the vulnerable openclaw version. This could result in arbitrary code execution, data theft, or other malicious activities, depending on the contents of the malicious packages. The scope is somewhat limited since only allowlisted execution paths are affected, which reduces the blast radius.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.31 or later to remediate the vulnerability.
• Monitor process executions involving openclaw and the use of PIP_INDEX_URL or UV_INDEX_URL environment variables. Deploy the Sigma rule Detect OpenClaw Using Suspicious Index URL to detect exploitation attempts.
• Implement strict allowlisting of package management execution paths to further limit the potential impact.
• Enable process creation logging to capture command line arguments and environment variables for the openclaw process.

Attack Chain

1. Attacker identifies an OpenClaw Gateway instance running a vulnerable version (<= 2026.3.24).
2. Attacker obtains valid credentials for a gateway caller with write scope permissions.
3. Attacker crafts a chat.send request.
4. The chat.send request is designed to trigger the /reset command within the application.
5. The application incorrectly authorizes the /reset command based on the write scope of the chat.send request.
6. The target session is rotated, archiving the previous transcript state.
7. A new session ID is forced for the target.
8. The attacker effectively resets the target session without requiring admin-level privileges.

Impact

Successful exploitation of this vulnerability allows a write-scoped caller to perform administrative actions, specifically session resets. This could lead to disruption of service, unauthorized access to archived session data, or other unforeseen consequences depending on the specific implementation of OpenClaw Gateway. If an attacker can repeatedly reset sessions, it could create a denial-of-service condition.

Recommendation

• Upgrade OpenClaw Gateway to version 2026.3.28 or later to patch the vulnerability described in GHSA-5r8f-96gm-5j6g.
• Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.
• Review the commit be00fcfccb to understand the fix and identify any potential backporting needs.

Attack Chain

1. A request is made to the gateway plugin that triggers the deleteSession function.
2. The deleteSession function checks for a request-scoped client.
3. If no request-scoped client exists, the code falls back to a default mechanism.
4. The vulnerable code path then incorrectly creates a synthetic operator.admin runtime scope.
5. The sessions.delete function is dispatched with the elevated operator.admin scope.
6. Session deletion occurs with the privileges of the synthetic admin operator.
7. An attacker could potentially trigger this code path to delete sessions they should not have access to.

Impact

Successful exploitation of this vulnerability could lead to unauthorized session deletion within the openclaw application. While the exact impact depends on the specific deployment and usage of openclaw, the ability to delete arbitrary sessions could disrupt service availability or allow an attacker to invalidate legitimate user sessions. If an attacker can reliably trigger this vulnerability, it could lead to denial-of-service or other forms of service disruption.

Recommendation

• Upgrade the openclaw package to version 2026.3.25 or later to remediate the vulnerability described in the overview.
• Review the openclaw codebase and audit the usage of deleteSession to identify any potential misuse or unexpected invocations.

Attack Chain

1. Attacker identifies an openclaw instance running version 2026.3.24 or earlier.
2. The attacker identifies a channel extension that uses a configured base URL.
3. Attacker crafts a malicious configuration that redirects the base URL to an internal resource.
4. The vulnerable fetch() function in the channel extension makes an HTTP request to the attacker-controlled URL.
5. The request bypasses the SSRF guard due to the incomplete fix for CVE-2026-28476.
6. The targeted internal resource processes the attacker’s request.
7. Sensitive information from the internal resource is potentially exposed to the attacker.
8. Attacker exfiltrates the exposed information, completing the SSRF attack.

Impact

Successful exploitation of this SSRF vulnerability could allow an attacker to gain unauthorized access to internal resources and sensitive information. The number of potential victims is dependent on the prevalence of vulnerable openclaw instances. If successful, the attacker can read internal files, access internal services, or even potentially execute commands on internal systems, leading to data breaches or further compromise of the network.

Recommendation

• Upgrade the openclaw package to version 2026.3.25 or later to incorporate the fix for CVE-2026-28476, as described in the overview.
• Implement network segmentation to limit the impact of potential SSRF vulnerabilities by restricting access from the affected systems to sensitive internal resources.
• Deploy the Sigma rule “Detect OpenClaw SSRF Vulnerable Versions” to identify potentially vulnerable instances of the openclaw package based on user-agent strings.
• Monitor outbound network connections from openclaw instances for connections to internal IP addresses or unexpected domains, which could indicate SSRF exploitation attempts.

Attack Chain

1. A user generates a pairing setup code using the /pair endpoint or OpenClaw qr command. This code contains the embedded shared gateway credentials.
2. The setup code is shared with the intended recipient via chat, logs or screenshots.
3. The attacker gains access to the setup code through compromised chat history, exposed logs, or publicly shared screenshots.
4. The attacker extracts the long-lived shared gateway credential from the setup code.
5. The attacker reuses the stolen shared gateway credentials outside of the intended one-time pairing flow.
6. The attacker gains unauthorized access to the shared gateway.
7. The attacker leverages the access gained via the gateway for further malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to bypass the intended one-time pairing flow and gain unauthorized access to the shared gateway. The number of potential victims is dependent on the number of OpenClaw deployments and the exposure of pairing setup codes. The primary impact is unauthorized access and potential compromise of sensitive data accessible through the shared gateway.

Recommendation

• Upgrade OpenClaw to version 2026.3.12 or later to remediate the vulnerability (CVE-2026-33575).
• Implement strict controls over the handling and storage of pairing setup codes to prevent unauthorized access.
• Monitor network traffic for suspicious activity originating from OpenClaw gateways, potentially indicating unauthorized access using leaked credentials.
• Deploy the Sigma rule to detect the usage of the /pair endpoint which could indicate unauthorized pairing attempts.

Attack Chain

1. An attacker identifies an OpenClaw instance running a vulnerable version (<= 2026.3.24) of the gateway plugin.
2. The attacker crafts a standard HTTP request to a gateway-authenticated plugin HTTP route.
3. The gateway plugin authenticates the request (assuming valid credentials or bypassing authentication due to misconfiguration).
4. Due to the vulnerability, the plugin incorrectly mints a runtime scope set that includes operator.admin, regardless of the caller’s actual permissions.
5. The attacker’s request is processed with the elevated operator.admin privileges.
6. The attacker leverages these elevated privileges to perform unauthorized administrative actions within the OpenClaw system.
7. These actions could include modifying system configurations, accessing sensitive data, or disrupting services.

Impact

Successful exploitation of this vulnerability allows attackers to bypass intended permission controls within OpenClaw. The impact can range from unauthorized data access to complete system compromise, depending on the specific administrative actions the attacker is able to perform. The vulnerability affects all deployments using the vulnerable OpenClaw gateway plugin versions. This is especially critical in environments where strict role-based access control is required.

Recommendation

• Upgrade OpenClaw gateway plugin to version 2026.3.25 or later to patch the vulnerability (reference: Affected Packages / Versions).
• Implement monitoring for unusual activity related to OpenClaw administrative functions to detect potential exploitation attempts (reference: Sigma rule “Detect OpenClaw Admin Operations from Non-Admin Sources”).
• Review and audit existing OpenClaw configurations and permissions to ensure adherence to the principle of least privilege (reference: Overview).

Attack Chain

1. The attacker gains initial access to the agent workspace.
2. The attacker plants a symbolic link named IDENTITY.md within the agent workspace. This symlink points to a sensitive system file, such as /etc/crontab or ~/.ssh/authorized_keys.
3. The ensureAgentWorkspace function is called, but the exclusive-create flag (wx) skips creation due to the existing symlink (EEXIST error).
4. The attacker triggers the agents.create or agents.update API endpoint, for example, by sending an HTTP POST request.
5. The agents.create or agents.update handler constructs the path to IDENTITY.md using path.join(workspaceDir, DEFAULT_IDENTITY_FILENAME).
6. The vulnerable fs.appendFile function is called to append agent metadata (name, emoji, avatar) to the IDENTITY.md file. Because fs.appendFile follows symlinks, the content is written to the attacker-controlled target file.
7. Attacker-controlled data is appended to the target file.
8. If the target file is a cron configuration file, this leads to remote code execution. If it’s an SSH authorized_keys file, this leads to unauthorized access.

Impact

Successful exploitation allows an attacker to append attacker-controlled content to arbitrary files on the system. This can lead to:

• Remote Code Execution: By appending malicious entries to /etc/crontab or user crontab files.
• Persistent Code Execution: By modifying shell configuration files like ~/.bashrc or ~/.profile.
• Unauthorized SSH Access: By appending SSH keys to ~/.ssh/authorized_keys.
• Service Disruption: By modifying application configuration files.

The vulnerability affects openclaw versions 2026.2.22 and earlier, and no patches are currently available. The number of affected systems depends on the adoption rate of the openclaw package.

Recommendation

• Monitor file creation events within agent workspace directories for the creation of symbolic links using file_event logs.
• Implement and deploy the provided Sigma rule to detect exploitation attempts by monitoring fs.appendFile calls related to IDENTITY.md without symlink resolution.
• Restrict access to the agent workspace directory to prevent attackers from planting symlinks.
• Upgrade to a patched version of openclaw when available.

Attack Chain

1. Attacker identifies an instance of OpenClaw running a version prior to 2026.3.22.
2. Attacker crafts a malicious chat command intended to interact with the ACP.
3. The malicious command bypasses the intended operator.admin scope check due to the vulnerability.
4. The crafted command is sent to the OpenClaw application via the chat interface.
5. The vulnerable code in src/auto-reply/reply/commands-acp.ts processes the command without proper authorization.
6. The command execution results in the mutation of internal ACP configurations or data.
7. Attacker leverages the mutated configurations to gain further control over the OpenClaw application or its environment.

Impact

Successful exploitation of this vulnerability could allow an attacker to perform unauthorized administrative actions within the OpenClaw application. This may include modifying application settings, accessing sensitive data, or disrupting services. The severity of the impact depends on the specific ACP commands that are exposed and the attacker’s ability to chain together multiple commands for greater effect.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.22 or later to apply the fix described in the advisory (see Affected Packages / Versions).
• Monitor chat command inputs for unusual syntax or attempts to access administrative functionalities to detect potential exploitation attempts (use network or application logs).
• Review and audit existing OpenClaw configurations for any unauthorized modifications that may have occurred due to this vulnerability.
• Implement input validation and sanitization on all chat command inputs to prevent command injection attacks.
• Deploy the Sigma rule provided to detect attempts to use ACP commands without proper authorization (see “OpenClaw ACP Command Execution Without Admin Scope”).

Attack Chain

1. An attacker crafts a malicious URL targeting an OpenClaw application using a version prior to 2026.3.7.
2. The victim’s browser or application requests the malicious URL, including custom authorization headers like X-Api-Key or Private-Token.
3. The vulnerable fetchWithSsrFGuard function in OpenClaw fails to properly validate or sanitize headers during cross-origin redirects.
4. The attacker configures their malicious server to respond with an HTTP 302 redirect to a different origin controlled by the attacker.
5. The victim’s client, upon receiving the redirect, unknowingly forwards the sensitive authorization headers to the attacker’s server.
6. The attacker’s server logs or captures the leaked X-Api-Key and/or Private-Token values.
7. The attacker uses the stolen credentials to gain unauthorized access to resources or data protected by those credentials on the original target application.

Impact

Successful exploitation of CVE-2026-32913 can lead to the leakage of sensitive API keys and private tokens. This allows unauthorized access to protected resources, potentially leading to data breaches, account compromise, and other malicious activities. While the specific number of affected applications remains unknown, all OpenClaw deployments prior to version 2026.3.7 are vulnerable. The impact is significant due to the potential for widespread credential compromise across various sectors utilizing OpenClaw for their applications.

Recommendation

• Upgrade OpenClaw to version 2026.3.7 or later to patch CVE-2026-32913 (see references for patch information).
• Implement server-side validation to sanitize and strip potentially sensitive authorization headers before following redirects.
• Deploy the Sigma rule Detect Suspicious Header Forwarding to identify potential exploitation attempts by monitoring for cross-origin redirects involving sensitive headers.
• Monitor web server logs for unusual redirect activity and suspicious user agents (see log source information in the Sigma rules).