OpenClaw Approval Boundary Bypass Vulnerability in Trusted Proxy Mode
Vulnerability
A vulnerability in OpenClaw versions prior to 2026.4.8 allows for an approval boundary bypass in trusted proxy mode. The issue arises from a fallback mechanism that activates after a timeout, which can be exploited to execute inline evaluation commands without the required explicit user approval. This circumvention of the strictInlineEval approval process creates a security risk on gateway and node execution hosts.
Impact
Exploitation of this vulnerability bypasses the strictInlineEval explicit-approval requirements, allowing unauthorized execution of inline eval commands.
Reproduction
The vulnerability can be reproduced by configuring the environment to use a trusted proxy and then initiating a process that requires explicit approval for inline eval commands. The approval-timeout fallback will activate, allowing the inline eval commands to be executed without the necessary approval.
Remediation
Users can update to OpenClaw version 2026.4.8 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.