GHSA-hfpr-jhpq-x4rm
MEDIUMOpenClaw: `operator.write` chat.send could reach admin-only config writes
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.3.2 - Affected range:
<= 2026.3.2 - Patched in:
2026.3.7
Details
Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.<provider>.configWrites gates. That allowed an authenticated operator.write gateway client to bridge into persistent config writes even though direct config.* RPC methods remain operator.admin scoped.
The fix keeps command functionality intact while restoring the intended scope boundary:
- persistent
/config set|unsetwrites routed through gatewaychat.sendnow requireoperator.admin - read-only
/config showremains available to normal write-scoped gateway clients - normal messaging-channel
/configbehavior remains unchanged
Impact
This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with operator.write, chat.send access, and /config command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation.
Fix Commit(s)
5f8f58ae25e2a78f31b06edcf26532d634ca554e
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | all versions | 2026.3.7 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.3.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hfpr-jhpq-x4rm is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-hfpr-jhpq-x4rm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-hfpr-jhpq-x4rm. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-hfpr-jhpq-x4rm in your dependencies?
O3 detects GHSA-hfpr-jhpq-x4rm across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.