CVE-2026-45006 Overview
CVE-2026-45006 is an improper access control vulnerability in OpenClaw versions before 2026.4.23. The flaw resides in the gateway tool's config.apply and config.patch operations, where an incomplete denylist allows compromised models to write unsafe configuration changes. Attackers can persist malicious configuration modifications that affect command execution, network behavior, credentials, and operator policies. These changes survive process restarts, giving adversaries a durable foothold inside affected deployments. The weakness is categorized under [CWE-184: Incomplete List of Disallowed Inputs].
Critical Impact
Compromised models can bypass denylist controls in OpenClaw's gateway tool and persist unsafe configuration changes affecting credentials, command execution, and operator policies across restarts.
Affected Products
- OpenClaw (Node.js package) versions prior to 2026.4.23
- Deployments exposing the gateway tool's config.apply operation
- Deployments exposing the gateway tool's config.patch operation
Discovery Timeline
- 2026-05-11 - CVE-2026-45006 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45006
Vulnerability Analysis
The vulnerability exists in OpenClaw's gateway tool, which exposes configuration mutation operations to model-driven workflows. The config.apply and config.patch operations rely on a denylist to block unsafe configuration keys and values. The denylist is incomplete, leaving paths through which a compromised model can write arbitrary configuration entries.
Because configuration changes are persisted to disk, modifications survive a restart of the gateway. This converts a transient model compromise into a durable system-level compromise. Affected configuration domains include command execution settings, network behavior, stored credentials, and operator policies.
The attack requires network access and low privileges. No user interaction is required, and the impact spans confidentiality, integrity, and availability of the affected component.
Root Cause
The root cause is reliance on an incomplete denylist instead of an allowlist for sensitive configuration mutations. Denylist-based protections must enumerate every dangerous key, alias, and path. Any omission becomes an exploitable bypass, which is precisely the failure mode captured by [CWE-184].
Attack Vector
An attacker first needs control over a model that interacts with the OpenClaw gateway. The attacker then invokes config.apply or config.patch with configuration keys that the denylist fails to cover. The gateway accepts the mutation and writes it to persistent configuration, altering command execution paths, credential material, or operator policy. The change remains in effect after restart, enabling follow-on actions such as credential theft or arbitrary command execution.
No verified proof-of-concept code is publicly available. See the GitHub Security Advisory and the VulnCheck Advisory for technical detail.
Detection Methods for CVE-2026-45006
Indicators of Compromise
- Unexpected invocations of config.apply or config.patch from gateway tool sessions
- Configuration file diffs that introduce new command execution, network, or credential entries outside change-management windows
- Gateway restarts followed by altered runtime behavior such as new outbound connections or shell invocations
- Operator policy changes that were not produced by an authorized human operator
Detection Strategies
- Baseline the OpenClaw configuration file and alert on any byte-level change not associated with an approved deployment
- Log every config.apply and config.patch call with caller identity, payload keys, and resulting diff
- Correlate model-initiated configuration writes with downstream process execution and network connections to identify abuse chains
- Compare installed OpenClaw versions against 2026.4.23 across the fleet and flag anything older
Monitoring Recommendations
- Forward gateway tool audit logs and host process telemetry to a centralized analytics platform for correlation
- Monitor child processes spawned by the OpenClaw runtime for shells, package managers, and remote access binaries
- Alert on outbound network connections from OpenClaw hosts to previously unseen destinations
- Watch for credential material appearing in configuration writes, which signals attempted persistence of stolen secrets
How to Mitigate CVE-2026-45006
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.23 or later on all hosts running the gateway tool
- Audit the current configuration for unauthorized entries in command execution, network, credential, and operator policy sections
- Rotate any credentials stored in or referenced by the OpenClaw configuration if tampering is suspected
- Restrict network exposure of the gateway tool to trusted management networks only
Patch Information
The vendor fix is committed in openclaw/openclaw commit bceda60 and released in OpenClaw 2026.4.23. The patch closes the denylist bypass in the gateway tool's config.apply and config.patch operations. Refer to the GitHub Security Advisory GHSA-cwj3-vqpp-pmxr for the authoritative advisory.
Workarounds
- Disable the gateway tool's config.apply and config.patch operations until the patched version is deployed
- Run OpenClaw under a least-privileged service account that cannot modify system-level credentials or execute privileged commands
- Place the configuration file on a read-only mount during runtime where operationally feasible
- Require human-in-the-loop approval for any model-initiated configuration mutation
# Configuration example: verify and upgrade OpenClaw to the patched release
npm ls openclaw
npm install openclaw@2026.4.23
# Confirm the gateway tool is running the patched version
npm ls openclaw | grep -E "openclaw@2026\.4\.(2[3-9]|[3-9][0-9])"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
