AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-943q-mwmv-hhvh: OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 2, 2026

Summary

OpenClaw Gateway had two security flaws that could let an attacker with a valid token escalate their access: the HTTP endpoint (`POST /tools/invoke`, a web interface for running tools) didn't block dangerous tools like session spawning by default, and the permission system could auto-approve risky operations without enough user confirmation. Together, these could allow an attacker to execute commands or control sessions if they reach the Gateway.

Solution / Mitigation

Update to OpenClaw version 2026.2.14 or later. The fix includes: denying high-risk tools over HTTP by default (with configuration overrides available via `gateway.tools.{allow,deny}`), requiring explicit prompts for any non-read/search permissions in the ACP (access control permission) system, adding security warnings when high-risk tools are re-enabled, and making permission matching stricter to prevent accidental auto-approvals. Additionally, keep the Gateway loopback-only (only accessible locally) by setting `gateway.bind="loopback"` or using `openclaw gateway run --bind loopback`, and avoid exposing it directly to the internet without using an SSH tunnel or Tailscale.

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrityavailability

Affected Vendors

Affected Packages

openclaw@< 2026.2.14 (fixed: 2026.2.14)

Original source: https://github.com/advisories/GHSA-943q-mwmv-hhvh

First tracked: March 2, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 92%