GHSA-5h2w-qmfp-ggp6: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

March 31, 2026

The chat.send path let authorized write-scoped callers persist /verbose session overrides even though the same stored session mutation is admin-only through sessions.patch.

References

github.com/advisories/GHSA-5h2w-qmfp-ggp6
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/c6031235288a8d3bdf2243bd974340d8c8045bc2
github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6

Code Behaviors & Features

Detect and mitigate GHSA-5h2w-qmfp-ggp6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →