This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OpenClaw has a critical **Authorization Bypass** in its WebSocket connections.β¦
π‘οΈ **Root Cause**: **CWE-862** (Missing Authorization). <br>π **Flaw**: The WebSocket connection path fails to properly verify user permissions, allowing unprivileged users to access restricted endpoints.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **OpenClaw** (Open-source AI Assistant). <br>π **Versions**: All versions **prior to 2026.3.12**. <br>β οΈ **Note**: Version 2026.3.12 and later are safe.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: Escalate privileges from standard user to **Administrator**. <br>π **Impact**: Full control over admin functions, potential data exfiltration, and system manipulation (High CVSS Impact).
π« **Public Exploit**: **No**. <br>π **PoCs**: The `pocs` field is empty. <br>π’ **Status**: Only vendor advisories and third-party reports exist; no wild exploitation code is currently public.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for **WebSocket connections** on OpenClaw instances. <br>π§ͺ **Test**: Attempt to perform admin actions via WebSocket without admin tokens.β¦
β **Fixed**: **Yes**. <br>π§ **Patch**: Upgrade to **OpenClaw 2026.3.12** or newer. <br>π **Source**: See GitHub Security Advisory (GHSA-rqpp-rjj8-7wv8).
Q9What if no patch? (Workaround)
π **Workaround**: If patching is delayed, **restrict WebSocket access** via firewall rules. <br>π **Mitigation**: Enforce strict **API Gateway authentication** and monitor for anomalous admin requests from non-admin IPs.