CVE-2026-28473 Overview
OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls.
Critical Impact
Unauthorized users with limited operator.write privileges can bypass authorization controls to approve or deny execution requests, potentially allowing malicious code execution or blocking legitimate operations.
Affected Products
- OpenClaw versions prior to 2026.2.2
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28473 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28473
Vulnerability Analysis
This authorization bypass vulnerability (CWE-863: Incorrect Authorization) allows clients to circumvent permission checks through an alternative code path. The vulnerability stems from inconsistent authorization enforcement between different entry points to the same functionality.
When users invoke the /approve chat command, the request is processed through an internal privileged gateway client that has elevated permissions. This gateway client then calls exec.approval.resolve on behalf of the user. However, the authorization check for operator.approvals permission only occurs when the RPC endpoint is called directly—not when accessed through the chat command pathway.
This architectural flaw means that any client with the lesser operator.write scope can effectively perform privileged approval operations that should require the operator.approvals permission.
Root Cause
The root cause is improper authorization enforcement in the chat command handler. The /approve command implementation uses an internal privileged gateway client to invoke exec.approval.resolve, which inherently trusts the gateway's elevated permissions rather than validating the originating user's actual authorization level. The permission check for operator.approvals is only applied to direct RPC calls, creating an authorization bypass through the chat interface.
Attack Vector
The attack is network-accessible and requires low privileges to exploit. An attacker must have a valid account with operator.write scope, which is a lower-privileged permission than operator.approvals. The attacker simply sends the /approve chat command to approve or deny pending exec approval requests. Since the chat command pathway uses an internal privileged client, the authorization bypass occurs automatically without any additional exploitation steps required.
The attack does not require user interaction and can be executed by any authenticated client with operator.write permissions through normal application interfaces.
Detection Methods for CVE-2026-28473
Indicators of Compromise
- Exec approval resolution events initiated by users lacking operator.approvals permission
- Unusual patterns of /approve chat command usage from accounts with only operator.write scope
- Approval or denial of execution requests by unauthorized operators
Detection Strategies
- Implement logging that correlates chat command execution with the originating user's actual permission set
- Monitor for exec approval resolutions where the initiating user does not have operator.approvals permission
- Create alerts for approval operations that bypass the standard RPC authorization pathway
Monitoring Recommendations
- Audit all exec approval resolution events and validate the initiator has proper permissions
- Review access logs for patterns of /approve command usage across user accounts
- Monitor for privilege escalation attempts through alternative command pathways
How to Mitigate CVE-2026-28473
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.2 or later immediately
- Audit existing user permissions and review accounts with operator.write scope
- Review exec approval logs for any unauthorized approval or denial activities
- Consider temporarily disabling the /approve chat command until patched
Patch Information
OpenClaw has addressed this vulnerability in version 2026.2.2. The fix ensures that authorization checks are consistently applied regardless of the entry point. The patch can be reviewed in the GitHub commit. Additional details are available in the GitHub Security Advisory and the VulnCheck Advisory.
Workarounds
- Restrict operator.write scope to only trusted users who should have approval capabilities until patching is complete
- Disable or remove the /approve chat command through configuration if possible
- Implement network segmentation to limit access to OpenClaw instances from untrusted networks
- Add additional monitoring and alerting for all exec approval resolution events
# Configuration example
# Upgrade OpenClaw to patched version
# Check current version
openclaw --version
# Update to patched version 2026.2.2 or later
openclaw upgrade --version 2026.2.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
