OpenClaw Authentication Bypass Vulnerability in Unauthenticated Plugin-Auth Routes Granting Unauthorized Operator Scopes
Vulnerability
A vulnerability allowing authentication bypass has been identified in OpenClaw versions prior to 2026.3.31. This issue arises in unauthenticated plugin-auth HTTP routes, which improperly receive operator runtime write scopes. As a result, attackers can access these routes without authentication and perform privileged actions intended for authorized operators.
Impact
Exploitation of this vulnerability allows unauthenticated users to access plugin-auth HTTP routes with operator runtime write scopes, enabling them to perform privileged actions that should be reserved for authorized operators.
Reproduction
The vulnerability can be reproduced by sending a request to a plugin-auth HTTP route without authentication. The route will respond as if the user has operator privileges, allowing access to write-capable runtime actions.
Remediation
Users can upgrade to OpenClaw version 2026.3.31 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.