CVE-2026-45001
OpenClaw · OpenClaw
OpenClaw is affected by a missing authorization vulnerability in the gateway configuration.
Executive summary
A missing authorization flaw in OpenClaw allows authenticated users to mutate gateway configurations, potentially disrupting service availability.
Vulnerability
This is a missing authorization vulnerability (CWE-862) occurring within the agent tool access mechanism. An authenticated user can bypass configuration guards to modify gateway settings without proper permission checks.
Business impact
An attacker exploiting this vulnerability could unauthorizedly alter system configurations, which may result in service disruption or the exposure of sensitive gateway parameters. With a CVSS score of 7.1, this flaw presents a substantial risk to service availability and configuration integrity.
Remediation
Immediate Action: Update the OpenClaw npm package to version 2026.4.20 to enforce proper authorization checks.
Proactive Monitoring: Review audit logs for unauthorized configuration changes or suspicious activity related to agent tool access.
Compensating Controls: Implement strict role-based access control (RBAC) to limit the number of users who can interact with sensitive gateway configuration tools.
Exploitation status
Public Exploit Available: No (no confirmed public exploit in available data).
Analyst recommendation
To maintain the security and stability of your infrastructure, please apply the update to version 2026.4.20 as soon as possible. Restricting access to sensitive configuration tools remains a critical layer of defense against this vulnerability.