CVE-2026-41299 Overview
OpenClaw before version 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method. The vulnerability exists because ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection.
This vulnerability is classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision), highlighting a fundamental trust boundary violation in the gateway's authentication logic.
Critical Impact
Authenticated operators can impersonate ACP bridge identities and inject reserved provenance fields, potentially bypassing access controls and compromising message integrity within the OpenClaw chat system.
Affected Products
- OpenClaw versions prior to 2026.3.28
- OpenClaw chat.send gateway method
- OpenClaw WebSocket connection handler
Discovery Timeline
- 2026-04-21 - CVE-2026-41299 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-41299
Vulnerability Analysis
The authorization bypass vulnerability in OpenClaw stems from a flawed trust model in the chat.send gateway method. The system relies on self-declared client metadata provided during the WebSocket handshake to determine whether a client should have access to ACP-only provenance fields. Instead of verifying the actual authorization state of the connecting client against a trusted backend authentication service, the gateway accepts the client's claimed identity at face value.
This design flaw allows authenticated operator clients to craft malicious WebSocket connection requests that declare themselves as ACP bridge components. Once the spoofed identity is accepted, these clients gain the ability to inject reserved provenance fields that should exclusively be available to legitimate ACP bridge connections.
Root Cause
The root cause is the reliance on untrusted inputs for security decisions (CWE-807). The chat.send gateway method trusts client-supplied metadata from the WebSocket handshake to determine access privileges for ACP-only provenance fields. The system fails to independently verify the client's authorization state against a trusted authentication source, creating a trust boundary violation where clients can self-declare privileged identities.
Attack Vector
The attack is network-based and requires low-privilege authenticated access as an operator client. An attacker with valid operator credentials can exploit this vulnerability by:
- Establishing a WebSocket connection to the OpenClaw server
- Manipulating the client metadata during the handshake to claim ACP bridge identity
- Sending chat.send requests that include reserved provenance fields normally restricted to ACP bridges
- Injecting arbitrary provenance data that appears to originate from trusted ACP sources
The vulnerability allows for identity spoofing and unauthorized data injection without requiring any user interaction from the victim. For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-41299
Indicators of Compromise
- Unexpected provenance field values in chat messages originating from operator client connections
- WebSocket connections claiming ACP bridge identity from non-ACP IP addresses or client fingerprints
- Anomalous chat.send requests containing reserved provenance fields from standard operator sessions
- Audit log entries showing provenance field modifications by operator accounts
Detection Strategies
- Implement logging for all WebSocket handshake metadata, particularly client identity claims
- Create alerts for provenance field usage patterns that deviate from expected ACP bridge behavior
- Monitor for operator clients attempting to set ACP-reserved provenance fields
- Deploy network segmentation monitoring to detect ACP identity claims from unauthorized network segments
Monitoring Recommendations
- Enable verbose logging on the chat.send gateway method to capture all provenance field assignments
- Implement real-time alerting for identity spoofing attempts detected in WebSocket connections
- Review authentication and authorization logs for patterns indicating identity escalation attempts
- Establish baseline behavior profiles for legitimate ACP bridge connections to detect anomalies
How to Mitigate CVE-2026-41299
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.28 or later immediately
- Audit existing chat logs for evidence of provenance field manipulation by unauthorized clients
- Review WebSocket connection logs for suspicious ACP identity claims from operator accounts
- Temporarily restrict operator access if suspicious activity is detected pending investigation
Patch Information
The vulnerability is addressed in OpenClaw version 2026.3.28. The fix implements proper server-side verification of authorization state rather than relying on client-declared metadata for provenance field access decisions. Organizations should upgrade to this version as soon as possible.
For additional details, consult the GitHub Security Advisory and the VulnCheck Security Advisory.
Workarounds
- Implement network-level restrictions to limit which hosts can claim ACP bridge identity
- Deploy additional authentication layer at a reverse proxy to validate ACP connection claims
- Configure Web Application Firewall rules to inspect and filter WebSocket handshake metadata
- Restrict operator account privileges to minimum required access while awaiting patch deployment
# Example: Network restriction for ACP bridge connections
# Allow ACP identity claims only from trusted IP ranges
iptables -A INPUT -p tcp --dport 443 -m string --string "acp-bridge" --algo bm -s ! 10.0.1.0/24 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
