OpenClaw Improper Access Control Vulnerability in Gateway Tool Allowing Unsafe Config Mutations

A vulnerability in OpenClaw versions prior to 2026.4.23 allows compromised models to bypass access controls in the gateway tool's config.apply and config.patch operations. This flaw arises from an incomplete denylist protection, enabling the models to write unsafe configuration changes. The malicious modifications can affect command execution, network behavior, credentials, and operator policies, persisting through restarts.

Impact

Exploitation of this vulnerability could lead to unauthorized configuration changes that bypass security controls, allowing a model to manipulate sensitive aspects of the application such as command execution rights, network and proxy settings, credential management, and operator policies. These changes could persist after a restart, potentially leading to long-term security issues.

Reproduction

To reproduce this vulnerability, a model must be prompted to make configuration changes through the gateway tool's 'config.apply' or 'config.patch' actions. The model can be injected with a prompt that exploits the access control bypass, allowing it to write unsafe configurations. This can be done by manipulating the model's input to include harmful directives that alter protected config paths, such as those related to command execution or network behavior.

Remediation

Users can update to OpenClaw version 2026.4.23 or later, where this vulnerability has been addressed by replacing the denylist with a fail-closed allowlist for gateway config mutations.