Improper access control in OpenClaw - #VU126432
Published: April 17, 2026
Vulnerability identifier: #VU126432
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass group media restrictions.
The vulnerability exists due to improper access control in delivery queue recovery for outbound media replay when replaying recovered queued outbound media after restart or recovery. A remote attacker can trigger media replay from recovered queue entries to bypass group media restrictions.
The issue occurs because the original session context needed to enforce group tool policy may be lost during recovery.
Remediation
Install security update from vendor's website.