CVE-2026-62186
OpenClaw · OpenClaw
OpenClaw is susceptible to authorization bypass vulnerabilities due to missing or incorrect checks, allowing authenticated users to perform unauthorized actions.
Executive summary
A missing authorization vulnerability in OpenClaw allows authenticated users to bypass security controls, posing a significant risk of unauthorized data access.
Vulnerability
This flaw involves CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization). An attacker with low privileges (PR:L) can leverage this via a network-based attack vector to override HTTP models and potentially access sensitive data.
Business impact
The vulnerability carries a CVSS score of 7.6, indicating a high severity risk. Successful exploitation may result in unauthorized access to sensitive information or unauthorized modification of system settings, potentially leading to a breach of data confidentiality.
Remediation
Immediate Action: Upgrade OpenClaw to version 2026.6.8 or later to resolve the authorization logic flaws.
Proactive Monitoring: Review application access logs for unusual patterns, specifically focusing on requests that involve HTTP model overrides or unexpected administrative actions by low-privileged accounts.
Compensating Controls: Implement strict network segmentation and ensure that the application is not exposed to untrusted networks; consider applying WAF rules to detect and block suspicious HTTP request structures.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high CVSS score and the nature of authorization bypass flaws, immediate remediation is required. Security teams should prioritize updating all instances of OpenClaw to version 2026.6.8 to effectively close the authorization gap and prevent unauthorized access.