GHSA-rqpp-rjj8-7wv8: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
A logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as operator.admin even though those scopes were not tied to a device identity or an explicitly trusted Control UI path.
References
- github.com/advisories/GHSA-rqpp-rjj8-7wv8
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/5e389d5e7c9233ec91026ab2fea299ebaf3249f6
- github.com/openclaw/openclaw/pull/44306
- github.com/openclaw/openclaw/releases/tag/v2026.3.12
- github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8
Code Behaviors & Features
Detect and mitigate GHSA-rqpp-rjj8-7wv8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →