CVE-2026-43568 Overview
CVE-2026-43568 is a privilege escalation vulnerability in OpenClaw versions 2026.4.5 through 2026.4.10. The flaw resides in the /dreaming endpoint of the memory-core extension. Write-scoped operators can toggle admin-class configuration mutations that govern persistent memory dreaming settings. Attackers with low-privilege gateway access bypass authorization checks to modify settings reserved for administrators. The vulnerability is classified under CWE-862: Missing Authorization.
Critical Impact
Operators with write-scoped gateway tokens can escalate to admin-class configuration control by mutating persistent memory dreaming state through the /dreaming endpoint.
Affected Products
- OpenClaw 2026.4.5 (Node.js distribution)
- OpenClaw versions through 2026.4.9
- OpenClaw memory-core extension (extensions/memory-core)
Discovery Timeline
- 2026-05-05 - CVE-2026-43568 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43568
Vulnerability Analysis
OpenClaw exposes a dreaming command through its plugin API for managing persistent memory dreaming behavior. The command handler in extensions/memory-core/src/dreaming-command.ts accepts mutation requests from any client with write scope. The handler does not verify whether the caller holds the operator.admin scope before applying configuration changes. As a result, any operator able to invoke the gateway can persistently alter memory dreaming settings reserved for administrators.
A secondary issue compounds the flaw. The chat server method in src/gateway/server-methods/chat.ts propagates client?.connect?.scopes to downstream handlers. When the scopes property is undefined, downstream authorization checks treat the absent value ambiguously rather than as an empty scope set. This widens the conditions under which privileged mutations succeed.
Root Cause
The root cause is a missing authorization check on a state-mutating API path. The dreaming command handler accepts persistent toggle operations without enforcing role-based access control. The patch introduces a requiresAdminToMutateDreaming predicate that gates mutations on the presence of the operator.admin scope. Without this gate, write-scoped tokens were sufficient to mutate admin-only configuration.
Attack Vector
Exploitation requires network access to the OpenClaw gateway and a valid operator credential with write scope. The attacker sends a crafted request to the /dreaming endpoint that toggles the persistent memory dreaming configuration. Because the handler does not verify the operator.admin scope, the mutation is applied. No user interaction is required.
// Patch in extensions/memory-core/src/dreaming-command.ts
].join("\n");
}
+function requiresAdminToMutateDreaming(gatewayClientScopes?: readonly string[]): boolean {
+ return Array.isArray(gatewayClientScopes) && !gatewayClientScopes.includes("operator.admin");
+}
+
export function registerDreamingCommand(api: OpenClawPluginApi): void {
api.registerCommand({
name: "dreaming",
Source: GitHub commit 6af17b3
// Patch in src/gateway/server-methods/chat.ts - normalize scopes
SenderId: clientInfo?.id,
SenderName: clientInfo?.displayName,
SenderUsername: clientInfo?.displayName,
- GatewayClientScopes: client?.connect?.scopes,
+ GatewayClientScopes: client?.connect?.scopes ?? [],
};
Source: GitHub commit 6af17b3
Detection Methods for CVE-2026-43568
Indicators of Compromise
- HTTP requests to the /dreaming endpoint originating from clients holding only write scope, without operator.admin.
- Unexpected modifications to persistent memory dreaming configuration outside of administrator change windows.
- Repeated dreaming command invocations from a single operator session that toggle persistent state.
Detection Strategies
- Inspect gateway access logs for dreaming command invocations and correlate the caller's scopes against the requested operation.
- Alert when a client without the operator.admin scope issues a mutation against memory-core configuration paths.
- Track configuration drift in persistent memory dreaming settings and trigger review on any unauthorized change.
Monitoring Recommendations
- Forward OpenClaw gateway logs to a centralized logging platform and retain authorization decisions and scope claims.
- Baseline normal dreaming command usage so that anomalous mutation frequency and timing become visible.
- Monitor authentication tokens issued with write scope and review their activity against admin-restricted endpoints.
How to Mitigate CVE-2026-43568
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which enforces the operator.admin scope check on dreaming mutations.
- Audit all gateway tokens currently issued with write scope and revoke any that are not strictly required.
- Review persistent memory dreaming configuration for unauthorized changes and restore known-good values where needed.
Patch Information
The fix is delivered in commit 6af17b39e11f5f35e23b7e5a5f71a7d0aa3c7310. It introduces the requiresAdminToMutateDreaming predicate in extensions/memory-core/src/dreaming-command.ts and normalizes missing scopes to an empty array in src/gateway/server-methods/chat.ts. Refer to the GitHub Security Advisory GHSA-5gjc-grvm-m88j and the VulnCheck Advisory for upgrade guidance.
Workarounds
- Restrict network access to the OpenClaw gateway so that only trusted operators can reach the /dreaming endpoint.
- Avoid issuing write-scoped tokens to non-administrative users until the patched version is deployed.
- Place the gateway behind an upstream policy proxy that blocks dreaming command requests lacking the operator.admin scope claim.
# Verify installed OpenClaw version and upgrade via npm
npm list openclaw
npm install openclaw@^2026.4.10
# Audit tokens missing operator.admin scope (example query)
grep -E '"command":"dreaming"' /var/log/openclaw/gateway.log \
| grep -v 'operator.admin'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
