CVE-2026-45001 Overview
CVE-2026-45001 is a missing authorization vulnerability [CWE-862] in OpenClaw versions prior to 2026.4.20. The flaw resides in the agent-facing gateway endpoints config.patch and config.apply, which fail to protect operator-trusted settings from mutation by agent tooling. Protected settings include sandbox policy, plugin enablement, gateway authentication and TLS, hook routing, Model Context Protocol (MCP) server configuration, Server-Side Request Forgery (SSRF) policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to these protected operator settings, undermining the security boundary between the agent and its host configuration.
Critical Impact
Prompt injection against an OpenClaw agent with gateway tool access can silently rewrite sandbox, SSRF, TLS, and MCP configuration, enabling persistent downgrade of host-level guardrails.
Affected Products
- OpenClaw (Node.js distribution) versions prior to 2026.4.20
- Deployments exposing the agent-facing gateway config.patch endpoint
- Deployments exposing the agent-facing gateway config.apply endpoint
Discovery Timeline
- 2026-05-11 - CVE-2026-45001 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45001
Vulnerability Analysis
OpenClaw exposes a gateway tool that lets an operator-controlled model adjust runtime configuration through the config.patch and config.apply endpoints. These endpoints accept arbitrary configuration keys without enforcing a server-side allowlist that separates agent-mutable settings from operator-only settings. As a result, the trust boundary between the language model and the host operator collapses at the configuration layer.
An attacker who can influence model input — for example through indirect prompt injection in retrieved documents or tool outputs — can instruct the model to invoke the gateway tool against protected keys. The mutation is persisted, so the weakened policy survives session resets and continues to apply to future agent operations.
The affected protected surfaces include sandbox enforcement flags, plugin enablement, gateway authentication and TLS settings, hook routing, MCP server registration, SSRF egress policy, and filesystem hardening flags. Each of these controls is foundational to containing the agent, so disabling them sets up follow-on impact such as outbound SSRF, malicious MCP server attachment, or sandbox escape.
Root Cause
The gateway mutation guard does not differentiate between operator-trusted configuration keys and agent-permitted keys. Because authorization is missing on protected paths, any caller of the gateway tool inherits operator-level write capability over the configuration.
Attack Vector
Exploitation is network-reachable and requires that the targeted agent have access to the owner-only gateway tool. The attacker delivers prompt-injection content the model will ingest, causing the model to issue config.patch or config.apply calls against protected settings.
// Source: https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422
// Patch: src/security/dangerous-config-flags.ts
import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../agents/agent-scope.js";
+import { DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS } from "../agents/sandbox/config.js";
import type { OpenClawConfig } from "../config/types.openclaw.js";
import {
collectPluginConfigContractMatches,
The patch imports DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS into the dangerous-config-flags module and tightens the gateway mutation guard so protected keys cannot be written through the agent-facing endpoints.
Detection Methods for CVE-2026-45001
Indicators of Compromise
- Gateway audit log entries showing config.patch or config.apply calls that target sandbox, TLS, auth, MCP, SSRF, or filesystem keys.
- Unexpected newly registered MCP servers or hook routes appearing in the OpenClaw configuration store.
- Sandbox or SSRF policy flags transitioning from a restrictive to a permissive state outside of a change window.
- Agent transcripts containing instructions to invoke the gateway tool against operator-only settings.
Detection Strategies
- Compare the persisted OpenClaw configuration against a known-good baseline and alert on drift in protected keys.
- Parse gateway request logs for config.patch and config.apply calls whose key paths intersect the operator-trusted set.
- Correlate prompt-injection signals in retrieved content with subsequent gateway tool invocations from the same agent session.
Monitoring Recommendations
- Forward OpenClaw gateway and agent logs into a centralized analytics pipeline for retention and search.
- Track the OpenClaw version in use across hosts and flag any instance below 2026.4.20.
- Monitor outbound network behavior for SSRF or MCP server connections that would only succeed if egress policy was relaxed.
How to Mitigate CVE-2026-45001
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which contains the tightened gateway mutation guard.
- Audit current configuration for unauthorized changes to sandbox, TLS, auth, MCP, SSRF, hook, plugin, and filesystem settings, and restore baseline values.
- Rotate any gateway authentication credentials or TLS material that may have been altered while the guard was weak.
- Restrict network exposure of the agent-facing gateway to trusted operator networks only.
Patch Information
The fix is delivered in commit fe30b31 and documented in the GitHub Security Advisory GHSA-7jm2-g593-4qrc. Additional context is available in the VulnCheck Advisory on OpenClaw.
Workarounds
- Revoke agent access to the owner-only gateway tool until the upgrade is applied.
- Place the gateway behind a reverse proxy that rejects config.patch and config.apply calls referencing protected key prefixes.
- Run OpenClaw with a read-only configuration mount so persisted mutations cannot survive a restart.
# Verify the installed OpenClaw version meets the fixed release
npm list openclaw
# Upgrade to the patched release
npm install openclaw@>=2026.4.20
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
