OpenClaw versions prior to 2026.3.11 allow an attacker to bypass the configWrites access control by using channel commands. The vulnerability, classified as CWE‑639, lets a user with authorization on one account execute commands such as "/config set channels.<provider>.accounts.<id>" to alter the configuration of another account that has configWrites disabled. This grants the attacker the ability to change service settings or potentially disrupt operations on those target accounts, compromising confidentiality and availability of the affected configurations.

The affected product is OpenClaw OpenClaw. All installations running a version earlier than 2026.3.11 are vulnerable, regardless of the underlying node.js runtime specified in the CPE string. Users should verify the exact patch level and ensure they are on 2026.3.11 or later to eliminate the bypass.

The CVSS score of 7.1 indicates high severity, while the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a legitimate authorized user who can issue channel commands; no additional access requirements are stated, so an attacker with any authorized account on the platform could exploit the weakness. The exploit does not require privileged elevation outside the normal command context, making it relatively easy to abuse for users who gain or already possess account access.