Description
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.
Published: 2026-04-28
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows attackers to elevate privileges by abusing the gateway plugin’s HTTP authentication mechanism. By sending read‑scoped requests through the gateway authentication route, an attacker can gain operator.write permissions for runtime operations. This effectively turns a normally restricted read request into a write capability, allowing unauthorized modification or execution of runtime actions.

Affected Systems

OpenClaw software, all versions earlier than 2026.4.8. This includes every released build prior to the 2026.4.8 update.

Risk and Exploitability

The CVSS score of 6.0 indicates medium severity. No publicly disclosed exploits are listed in the KEV catalog, and exploit probability data (EPSS) is unavailable, suggesting limited or no evidence of active exploitation. The attack requires only an HTTP request to the gateway authentication route—a path typically exposed to network clients—making the vulnerability theoretically reachable and presenting a moderate risk of privilege escalation.

Generated by OpenCVE AI on April 28, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.4.8 or later, which resolves the gateway authentication flaw.
  • If an immediate upgrade is not feasible, limit network access to the gateway authentication endpoint to trusted hosts only, thereby reducing exposure to unauthorized read requests.
  • Review the gateway plugin configuration to ensure that operator.read requests cannot trigger write operations, and consider disabling the gateway plugin temporarily until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.
Title OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:09:41.598Z

Reserved: 2026-04-27T11:38:59.196Z

Link: CVE-2026-42429

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:46.773

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-42429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses