OpenClaw Insufficient Access Control Vulnerability in Configuration and Debug Command Handlers
Vulnerability
A vulnerability allowing insufficient access control has been identified in OpenClaw versions prior to 2026.3.12. This vulnerability exists in the '/config' and '/debug' command handlers, where missing owner-level permission checks allow command-authorized non-owners to access owner-only surfaces. Exploiting this flaw, attackers can read or modify privileged configuration settings that are supposed to be restricted to owners.
Impact
The vulnerability allows non-owner users with command authorization to access and alter sensitive configuration settings that should be reserved for owners, potentially leading to unauthorized changes in the application's behavior or functionality.
Remediation
Users can upgrade to OpenClaw version 2026.3.12 or later, where this vulnerability has been addressed by enforcing owner-level permission checks for the '/config' and '/debug' command handlers.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.