Primary

Context

OpenClaw Privilege Escalation Vulnerability in Chat Endpoint

Vulnerability

A privilege escalation vulnerability has been identified in OpenClaw versions prior to 2026.3.28. The issue resides in the chat.send endpoint, where write-scoped gateway callers can manipulate the /verbose parameter to persist admin-only session overrides. This exploitation allows the unauthorized exposure of sensitive information or tool outputs meant solely for administrators.

Impact

Exploitation of this vulnerability enables write-scoped gateway callers to persistently override verbose output settings, potentially exposing more detailed reasoning or tool outputs than intended by the administrator.

Remediation

Users can upgrade to OpenClaw version 2026.3.28 or later to address this vulnerability.

Added: Apr 23, 2026, 10:33 PM

Updated: Apr 23, 2026, 10:33 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Privilege Escalation Vulnerability in Chat Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating