Description
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.
Published: 2026-05-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions 2026.4.5 through 2026.4.9 allow actors with write‑scoped gateway privileges to alter memory dreaming settings through the /dreaming endpoint, enabling them to toggle admin‑class configuration mutations. This missing authorization flaw (CWE‑862) lets a user who ordinarily has only write scope obtain administrative privileges on the product, compromising the system’s integrity and potentially allowing further unauthorized actions.

Affected Systems

The affected product is OpenClaw. Versions below 2026.4.10, specifically 2026.4.5 up to 2026.4.9, are impacted, while the fix is included in version 2026.4.10 and later.

Risk and Exploitability

The CVSS score of 7.1 marks the vulnerability as high severity; EPSS information is unavailable, and it is not listed in the CISA KEV catalog. Attackers who already control a write‑scoped gateway session can send a request to the /dreaming endpoint to change configuration; no additional payload is required. The flaw stems from missing authorization checks, so the exploit is limited to systems where the endpoint is reachable to a write‑scoped user.

Generated by OpenCVE AI on May 5, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.10 or later to apply the vendor patch
  • Restrict write‑scoped gateway access to the /dreaming endpoint or remove the endpoint if it is not needed
  • Apply network or application access controls to block non‑administrative traffic to /dreaming

Generated by OpenCVE AI on May 5, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5gjc-grvm-m88j OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
History

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.
Title OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T12:20:38.936Z

Reserved: 2026-05-01T16:58:23.117Z

Link: CVE-2026-43568

cve-icon Vulnrichment

Updated: 2026-05-05T12:20:35.074Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-05T12:16:20.343

Modified: 2026-05-05T19:32:49.650

Link: CVE-2026-43568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T12:45:24Z

Weaknesses