A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped.
openclaw (npm)2026.3.2<= 2026.3.22026.3.7Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.<provider>.configWrites gates. That allowed an authenticated operator.write gateway client to bridge into persistent config writes even though direct config.* RPC methods remain operator.admin scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent /config set|unset writes routed through gateway chat.send now require operator.admin
- read-only /config show remains available to normal write-scoped gateway clients
- normal messaging-channel /config behavior remains unchanged
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with operator.write, chat.send access, and /config command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
5f8f58ae25e2a78f31b06edcf26532d634ca554enpm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-hfpr-jhpq-x4rm ↗ |
| CWE id | Name |
|---|---|
| CWE-863 | Incorrect Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | <= 2026.3.2 | 2026.3.7 | — |