CVE-2026-44991

MEDIUM

OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders

Title source: cna

Description

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory

GitHub Security Advisory (GHSA-c28g-vh7m-fm7v)

https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v

Patch patch

Patch Commit (1)

https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c7058c371f261fda2b5d4de4a882

View Patch ZIP pw:eip

Patch patch

Patch Commit (2)

https://github.com/openclaw/openclaw/commit/995febb7b1e811ff6a1df5b18c22de94103f4c9f

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders

https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-owner-enforced-commands-via-wildcard-channel-senders

Scores

CVSS v3 4.2

EPSS 0.0003

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

npm/openclaw 0 - 2026.4.21npm

OpenClaw/OpenClaw < 2026.4.21

openclaw/openclaw < 2026.4.21

OpenClaw/OpenClaw 2026.4.21

Published May 11, 2026

Tracked Since May 11, 2026