AI Threat Alert AI Threat Alert

GHSA-3q42-xmxv-9vfr: openclaw: privilege escalation to admin voice config persistence

GHSA-3q42-xmxv-9vfr MEDIUM
Published April 7, 2026
CISO Take

An authenticated user holding operator.write permissions in openclaw can abuse the chat.send channel to persist changes to admin-class Talk Voice configuration — a privilege boundary that should require elevated rights. While exploitation requires prior authentication and the maintainer has normalized severity below high, the ability to silently modify voice configuration at admin-class scope creates a persistent foothold risk in any deployment where operator-level access is broadly distributed. There is no public exploit and this is not in CISA KEV, but openclaw has accumulated 37 CVEs in the same package, suggesting systemic access-control weaknesses that warrant closer scrutiny. Upgrade to openclaw >= 2026.3.28 immediately; audit all users holding operator.write for signs of unauthorized config changes since 2026.3.24.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium overall, but contextually elevated for AI agent deployments. The CWE-269 (Improper Privilege Management) root cause is a horizontal privilege escalation that crosses a trust boundary between operator and admin tiers. Exploitation requires valid credentials (reduces likelihood), but the persistence aspect — writing to admin-class configuration — means a compromised or malicious operator can embed changes that survive restarts. The 37 CVE history in this package suggests the access-control model has not been systematically hardened, increasing confidence that this is not an isolated oversight.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.3.24 2026.3.28

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Patch: Upgrade openclaw to >= 2026.3.28 (fix commit e34694733fc64931ed4a543c73d84ad3435d5df1, released 2026-03-28).
  2. Audit: Review Talk Voice configuration history for unauthorized changes since 2026.03.24 — look for config writes not originating from admin accounts.
  3. Access control: Enforce least-privilege on operator.write assignments; limit who can hold this role.
  4. Detection: Alert on any Talk Voice config changes originating from operator-class sessions (not admin sessions).
  5. Enumerate all openclaw deployments given the 37-CVE history in this package — a full audit of granted permissions is warranted.

Classification

Auth Bypass Supply Chain Agent Framework AML.T0012 AML.T0053 AML.T0081

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.6.1.2 - Segregation of duties
NIST AI RMF
GOVERN-1.7 - Processes and practices are in place to assess AI risks
OWASP LLM Top 10
LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills abusing the skills/plugin ecosystem to exfiltrate credentials. This CVE's privilege escalation via chat.send could be chained with a malicious skill to automate admin-class config persistence, representing the same failure mode of insufficient access enforcement within the OpenClaw agent runtime.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow authenticated persistence class and should be normalized below high. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `e34694733fc64931ed4a543c73d84ad3435d5df1` — 2026-03-25T19:55:26Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zpbrent for reporting.

Exploitation Scenario

An adversary with legitimate operator.write credentials (e.g., a malicious insider, a compromised service account, or a third-party integration) invokes chat.send with a crafted payload targeting the Talk Voice configuration endpoint. Because the privilege check is absent or misconfigured, the request is processed with admin-class authority, persisting a modified voice configuration — such as rerouting voice channels, injecting custom response behaviors, or altering trust policies. The change survives agent restarts and appears in admin-tier configuration, making it difficult to attribute to a non-admin actor without detailed audit logging. This is particularly dangerous in deployments where openclaw skills (see AIID #1368) are used, as a malicious skill could automate this escalation transparently.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed