GHSA-r7vr-gr74-94p8: OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces
OpenClaw documented /config and /debug as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.
References
- github.com/advisories/GHSA-r7vr-gr74-94p8
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/08aa57a3de37d337b226ae861f573779f112ff2e
- github.com/openclaw/openclaw/pull/44305
- github.com/openclaw/openclaw/releases/tag/v2026.3.12
- github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8
Code Behaviors & Features
Detect and mitigate GHSA-r7vr-gr74-94p8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →