OpenClaw Authorization Context Reuse Vulnerability in Collect-Mode Queue Batches
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.4.14, allowing for authorization context reuse in collect-mode queue batches. This issue enables messages from different senders to adopt the final sender's authorization context. As a result, attackers could exploit this by sending multiple queued messages, using a more privileged sender's context to execute earlier messages with elevated permissions.
Impact
Exploitation of this vulnerability could lead to incorrect privilege assignment, allowing messages to be processed with unauthorized elevated rights.
Reproduction
The vulnerability can be reproduced by sending multiple messages through a queue in collect mode, using different sender identities. The last sender's authorization context will be applied to all messages in the batch, allowing earlier messages to be executed with elevated privileges.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.14 or later, as this version includes the necessary fix. The latest npm release, 2026.4.14, already contains the patch.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.