Main Vulnerability Database Vulnerabilities #VU125280

Improper access control in OpenClaw - #VU125280

Published: April 8, 2026

Vulnerability identifier: #VU125280

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to bypass explicit approval requirements for inline eval commands.

The vulnerability exists due to improper access control in strictInlineEval approval handling on gateway and node exec hosts when processing approval-timeout fallback conditions. A local user can trigger inline eval commands through the approval-timeout fallback to bypass explicit approval requirements for inline eval commands.

This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89

Improper access control in OpenClaw - #VU125280

Detailed vulnerability description

Remediation

Sources

Please verify you're human