OpenClaw Guard Bypass Vulnerability in Gateway Configuration Endpoints

A guard bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.20. This vulnerability exists in the agent-facing gateway's 'config.patch' and 'config.apply' endpoints. The issue arises because the guard does not adequately protect operator-trusted settings, such as sandbox policy, plugin enablement, gateway authentication/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A model that injects prompts and has access to the owner-only gateway tool can exploit this vulnerability by making unauthorized changes to these protected operator settings.

Impact

Exploitation of this vulnerability allows for unauthorized modifications to critical operator settings, potentially leading to broader security implications within the application.

Reproduction

The vulnerability can be reproduced by using a prompt-injected model that accesses the owner-only gateway tool. The model can then send requests to the 'config.patch' or 'config.apply' endpoints, attempting to modify protected settings such as sandbox policies or plugin configurations.

Remediation

Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been patched.