OpenClaw Nostr Plugin Insufficient Access Control Vulnerability
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.4.10, specifically within the Nostr plugin's HTTP profile mutation routes. This vulnerability allows operators with write permissions to persist profile configurations without needing administrative rights. By exploiting unprotected mutation endpoints, these operators can unauthorizedly modify and save Nostr profile settings.
Impact
The vulnerability allows for unauthorized persistence of profile configurations, potentially leading to misconfigured profiles or exploitation of other related vulnerabilities.
Reproduction
To reproduce this vulnerability, an operator with 'write' permissions can send requests to the Nostr profile mutation endpoints without the required 'admin' scope. This can be done by bypassing the authentication checks that are supposed to enforce the admin requirement.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.10 or later. The latest version available on npm, 2026.4.14, includes the necessary fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.