Impact
A gateway operator possessing operator.write privileges can alter global configuration entries that are intended for operator.admin users, a flaw caused by insufficient validation in the Active Memory write scope. By using the write scope vulnerability, the attacker can insert, modify, or delete critical configuration parameters, thereby subverting the intended access restrictions within the OpenClaw system. The unauthorized changes could affect routing rules, security policies, or network behavior, effectively elevating the attacker’s privileges over the platform.
Affected Systems
Any installation of OpenClaw running a version prior to 2026.5.6 is affected. This includes all deployments of the core Gateway component that stores configuration data, irrespective of deployment context.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector involves an internal user who already holds operator.write permissions; once such a role is compromised or misused, the attacker can perform unauthorized configuration changes without needing operator.admin rights. Consequently, the risk is moderate but can become significant if the altered settings impact critical security controls or core network functionalities.
OpenCVE Enrichment
Github GHSA