Description
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions prior to 2026.5.18 contain a scope bypass flaw in the Gateway chat.send route that enables a client with operator.write permissions to send commands through inherited external routes. This bypass defeats the standard operator.approvals and operator.admin restrictions, allowing the attacker to execute privileged actions such as installing plugins, modifying configuration, manipulating MCPs, and altering allowlists and ACP entries. The weakness stems from improper privilege validation (CWE‑863) and effectively grants remote actors the ability to elevate their privileges within the system.

Affected Systems

The affected product is OpenClaw OpenClaw, a node.js‑based platform. Vulnerable builds include all releases before the 2026.5.18 update; no other specific vendors or product lines are identified.

Risk and Exploitability

The CVSS score of 8.7 marks this as a high‑severity problem. Exploitation requires only the ability to obtain operator.write scope, after which the attacker can craft a payload directed via an inherited route to trigger the operator.approvals bypass. No EPSS data is available to estimate current threat prevalence, and the vulnerability is not listed in the CISA KEV catalog. The lack of additional prerequisites means that once operator.write scope is achievable, the attack is straightforward and could be executed remotely over the exposed Gateway interface.

Generated by OpenCVE AI on May 29, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.5.18 or later, where the chat.send route enforces proper scope checks.
  • Reconfigure the Gateway to disable inherited external routes for users with operator.write scope, ensuring that only authorized paths can invoke privileged commands.
  • Review and restrict the scope of operator.write permissions to minimize the attack surface, and enforce an approval workflow for any plugin or configuration changes.

Generated by OpenCVE AI on May 29, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations.
Title OpenClaw < 2026.5.18 - Scope Bypass via Inherited chat.send Route
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:32:58.605Z

Reserved: 2026-04-04T12:32:50.476Z

Link: CVE-2026-35674

cve-icon Vulnrichment

Updated: 2026-05-29T19:32:43.350Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T16:16:26.377

Modified: 2026-05-29T16:29:34.540

Link: CVE-2026-35674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses