GHSA-v3c2-39fm-jq4h: Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

April 24, 2026 (updated May 6, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5h2w-qmfp-ggp6. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.

References

Code Behaviors & Features

Detect and mitigate GHSA-v3c2-39fm-jq4h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →