Main Vulnerability Database Vulnerabilities #VU125280

#VU125280 Improper access control in OpenClaw

Published: April 8, 2026

Vulnerability identifier: #VU125280

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to bypass explicit approval requirements for inline eval commands.

The vulnerability exists due to improper access control in strictInlineEval approval handling on gateway and node exec hosts when processing approval-timeout fallback conditions. A local user can trigger inline eval commands through the approval-timeout fallback to bypass explicit approval requirements for inline eval commands.

This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89

#VU125280 Improper access control in OpenClaw

Description

Remediation

External links

Please verify you're human