Description
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence.
Published: 2026-05-06
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before 2026.4.10 suffers from insufficient access control on Nostr plugin HTTP profile routes, allowing any operator with write permissions to persist profile configuration without admin authority. This flaw permits attackers with operator.write scope to modify Nostr profile settings through unprotected mutation endpoints, granting them unauthorized configuration persistence that could affect application behavior or data integrity.

Affected Systems

The vulnerability affects the OpenClaw product of the OpenClaw vendor. All installations running any version earlier than 2026.4.10 are impacted, as the issue is resolved in that release and later versions.

Risk and Exploitability

The CVSS score of 6 signals moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The likely attack vector is through the application's exposed HTTP endpoints, requiring the attacker to have operator.write privileges, which may be granted to legitimate users. Given the moderate severity and typical deployment context, the risk is moderate with a potential for persistent unauthorized configuration changes if the privileged scope is compromised.

Generated by OpenCVE AI on May 6, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.10 or later to apply the vendor‑provided fix for the insufficient access control error in Nostr profile mutation routes.
  • If an upgrade cannot be performed immediately, restrict the operator.write permission to trusted personnel only and monitor profile mutation requests for anomalous activity.
  • Apply the commit referenced in the advisory (commit 6517c700de9bb0ee11b41ab625ef3b63d01b6083) or equivalent changes to enforce proper admin verification before configuration persistence.

Generated by OpenCVE AI on May 6, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence.
Title OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-07T13:54:07.716Z

Reserved: 2026-05-01T17:00:54.537Z

Link: CVE-2026-43579

cve-icon Vulnrichment

Updated: 2026-05-07T13:54:03.058Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T20:16:33.643

Modified: 2026-05-07T17:04:32.137

Link: CVE-2026-43579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T02:00:17Z

Weaknesses