{"data":{"id":"9780d2cb-41a4-4581-bcc2-bbfa9793160a","title":"GHSA-943q-mwmv-hhvh: OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval","summary":"OpenClaw Gateway had two security flaws that could let an attacker with a valid token escalate their access: the HTTP endpoint (`POST /tools/invoke`, a web interface for running tools) didn't block dangerous tools like session spawning by default, and the permission system could auto-approve risky operations without enough user confirmation. Together, these could allow an attacker to execute commands or control sessions if they reach the Gateway.","solution":"Update to OpenClaw version 2026.2.14 or later. The fix includes: denying high-risk tools over HTTP by default (with configuration overrides available via `gateway.tools.{allow,deny}`), requiring explicit prompts for any non-read/search permissions in the ACP (access control permission) system, adding security warnings when high-risk tools are re-enabled, and making permission matching stricter to prevent accidental auto-approvals. Additionally, keep the Gateway loopback-only (only accessible locally) by setting `gateway.bind=\"loopback\"` or using `openclaw gateway run --bind loopback`, and avoid exposing it directly to the internet without using an SSH tunnel or Tailscale.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-943q-mwmv-hhvh","publishedAt":"2026-03-02T23:32:22.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":[],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.2.14 (fixed: 2026.2.14)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}