OpenClaw Settings Reconciliation Vulnerability Allowing Bypass of Access Control Denials
Vulnerability
A settings reconciliation vulnerability has been identified in OpenClaw versions prior to 2026.3.22. This vulnerability allows attackers to exploit the handling of empty allowlists, bypassing intended deny-all revocations. The issue arises because explicit empty allowlists are treated as unset during the reconciliation process, which silently undoes access control denials and restores previously revoked permissions.
Impact
Exploitation of this vulnerability can lead to unauthorized access by reinstating permissions that were intended to be revoked, allowing users to bypass established access controls.
Reproduction
The vulnerability can be reproduced by setting an allowlist to be explicitly empty. During the reconciliation process, this empty allowlist will be interpreted as not set, effectively reversing any access control denials that were previously applied. This can be verified by observing that permissions are restored despite being intentionally revoked.
Remediation
Users can update to OpenClaw version 2026.3.22 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.