OpenClaw Privilege Escalation Vulnerability in Gateway-Authenticated Plugin HTTP Routes
Vulnerability
A privilege escalation vulnerability has been identified in OpenClaw versions prior to 2026.3.25. This vulnerability exists in gateway-authenticated plugin HTTP routes, where the 'operator.admin' runtime scope is incorrectly granted, regardless of the scopes provided by the caller. This scope boundary bypass allows attackers to gain elevated privileges and execute unauthorized administrative actions.
Impact
Exploitation of this vulnerability allows for unauthorized administrative actions to be performed, leveraging the incorrectly granted 'operator.admin' runtime scope.
Reproduction
The vulnerability can be reproduced by creating a gateway-authenticated plugin HTTP route. When this route is accessed, it will automatically receive the 'operator.admin' runtime scope, regardless of the scopes that were actually granted by the caller. This can be verified by checking the scopes available to the plugin route after authentication.
Remediation
Users can update to OpenClaw version 2026.3.25 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.