OpenClaw Scope Bypass Vulnerability in Gateway Chat Route

A scope bypass vulnerability has been identified in OpenClaw versions prior to 2026.5.18. This vulnerability exists in the Gateway 'chat.send' route, allowing scoped clients to execute privileged commands. Attackers with 'operator.write' scope can send commands through inherited external routes, bypassing the 'operator.approvals' and 'operator.admin' scope requirements. This exploitation enables unauthorized modifications to plugins, configurations, MCP, allowlists, and ACP.

Impact

Exploitation of this vulnerability allows commands that should require 'operator.approvals' or 'operator.admin' to be executed with only 'operator.write' privileges. This bypass could lead to unauthorized changes in administrative areas such as plugins, configurations, and allowlists.

Remediation

Users are advised to upgrade to OpenClaw version 2026.5.18 or later. Before upgrading, it is recommended to avoid granting 'operator.write' tokens to clients that can send commands into sessions with external routes, unless those clients are trusted with administrative command effects.