GHSA-mqpw-46fh-299h: OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve

February 17, 2026

A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command.

exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.

References

github.com/advisories/GHSA-mqpw-46fh-299h
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h

Code Behaviors & Features

Detect and mitigate GHSA-mqpw-46fh-299h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →