CVE-2026-45001

OpenClaw · OpenClaw

OpenClaw is affected by a missing authorization vulnerability in the gateway configuration.

Executive summary

A missing authorization flaw in OpenClaw allows authenticated users to mutate gateway configurations, potentially disrupting service availability.

Vulnerability

This is a missing authorization vulnerability (CWE-862) occurring within the agent tool access mechanism. An authenticated user can bypass configuration guards to modify gateway settings without proper permission checks.

Business impact

An attacker exploiting this vulnerability could unauthorizedly alter system configurations, which may result in service disruption or the exposure of sensitive gateway parameters. With a CVSS score of 7.1, this flaw presents a substantial risk to service availability and configuration integrity.

Remediation

Immediate Action: Update the OpenClaw npm package to version 2026.4.20 to enforce proper authorization checks.

Proactive Monitoring: Review audit logs for unauthorized configuration changes or suspicious activity related to agent tool access.

Compensating Controls: Implement strict role-based access control (RBAC) to limit the number of users who can interact with sensitive gateway configuration tools.

Exploitation status

Public Exploit Available: No (no confirmed public exploit in available data).

Analyst recommendation

To maintain the security and stability of your infrastructure, please apply the update to version 2026.4.20 as soon as possible. Restricting access to sensitive configuration tools remains a critical layer of defense against this vulnerability.