CVE-2026-22172
CRITICAL9.9EPSS 0.02%OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
描述
### Summary A logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as `operator.admin` even though those scopes were not tied to a device identity or an explicitly trusted Control UI path. ### Impact This crossed the intended authorization boundary and could let a shared-secret-authenticated backend client perform admin-only gateway operations. ### Affected versions `openclaw` `<= 2026.3.11` ### Patch Fixed in `openclaw` `2026.3.12`. The gateway now clears unbound scopes for non-Control-UI shared-auth connections, and regression tests cover the device-less shared-auth path.
受影響套件(1)
- npm/openclawfrom 0, < 2026.3.12
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(5)
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/5e389d5e7c9233ec91026ab2fea299ebaf3249f6
- WEBhttps://github.com/openclaw/openclaw/pull/44306
- WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.3.12
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8