GHSA-3q42-xmxv-9vfr: openclaw: privilege escalation to admin voice config persistence
GHSA-3q42-xmxv-9vfr MEDIUMAn authenticated user holding operator.write permissions in openclaw can abuse the chat.send channel to persist changes to admin-class Talk Voice configuration — a privilege boundary that should require elevated rights. While exploitation requires prior authentication and the maintainer has normalized severity below high, the ability to silently modify voice configuration at admin-class scope creates a persistent foothold risk in any deployment where operator-level access is broadly distributed. There is no public exploit and this is not in CISA KEV, but openclaw has accumulated 37 CVEs in the same package, suggesting systemic access-control weaknesses that warrant closer scrutiny. Upgrade to openclaw >= 2026.3.28 immediately; audit all users holding operator.write for signs of unauthorized config changes since 2026.3.24.
What is the risk?
Medium overall, but contextually elevated for AI agent deployments. The CWE-269 (Improper Privilege Management) root cause is a horizontal privilege escalation that crosses a trust boundary between operator and admin tiers. Exploitation requires valid credentials (reduces likelihood), but the persistence aspect — writing to admin-class configuration — means a compromised or malicious operator can embed changes that survive restarts. The 37 CVE history in this package suggests the access-control model has not been systematically hardened, increasing confidence that this is not an isolated oversight.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.3.24 | 2026.3.28 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Upgrade openclaw to >= 2026.3.28 (fix commit e34694733fc64931ed4a543c73d84ad3435d5df1, released 2026-03-28).
-
Audit: Review Talk Voice configuration history for unauthorized changes since 2026.03.24 — look for config writes not originating from admin accounts.
-
Access control: Enforce least-privilege on operator.write assignments; limit who can hold this role.
-
Detection: Alert on any Talk Voice config changes originating from operator-class sessions (not admin sessions).
-
Enumerate all openclaw deployments given the 37-CVE history in this package — a full audit of granted permissions is warranted.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-3q42-xmxv-9vfr?
An authenticated user holding operator.write permissions in openclaw can abuse the chat.send channel to persist changes to admin-class Talk Voice configuration — a privilege boundary that should require elevated rights. While exploitation requires prior authentication and the maintainer has normalized severity below high, the ability to silently modify voice configuration at admin-class scope creates a persistent foothold risk in any deployment where operator-level access is broadly distributed. There is no public exploit and this is not in CISA KEV, but openclaw has accumulated 37 CVEs in the same package, suggesting systemic access-control weaknesses that warrant closer scrutiny. Upgrade to openclaw >= 2026.3.28 immediately; audit all users holding operator.write for signs of unauthorized config changes since 2026.3.24.
Is GHSA-3q42-xmxv-9vfr actively exploited?
No confirmed active exploitation of GHSA-3q42-xmxv-9vfr has been reported, but organizations should still patch proactively.
How to fix GHSA-3q42-xmxv-9vfr?
1. Patch: Upgrade openclaw to >= 2026.3.28 (fix commit e34694733fc64931ed4a543c73d84ad3435d5df1, released 2026-03-28). 2. Audit: Review Talk Voice configuration history for unauthorized changes since 2026.03.24 — look for config writes not originating from admin accounts. 3. Access control: Enforce least-privilege on operator.write assignments; limit who can hold this role. 4. Detection: Alert on any Talk Voice config changes originating from operator-class sessions (not admin sessions). 5. Enumerate all openclaw deployments given the 37-CVE history in this package — a full audit of granted permissions is warranted.
What systems are affected by GHSA-3q42-xmxv-9vfr?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-powered voice/conversation platforms, multi-tenant AI agent deployments.
What is the CVSS score for GHSA-3q42-xmxv-9vfr?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow authenticated persistence class and should be normalized below high. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `e34694733fc64931ed4a543c73d84ad3435d5df1` — 2026-03-25T19:55:26Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zpbrent for reporting.
Exploitation Scenario
An adversary with legitimate operator.write credentials (e.g., a malicious insider, a compromised service account, or a third-party integration) invokes chat.send with a crafted payload targeting the Talk Voice configuration endpoint. Because the privilege check is absent or misconfigured, the request is processed with admin-class authority, persisting a modified voice configuration — such as rerouting voice channels, injecting custom response behaviors, or altering trust policies. The change survives agent restarts and appears in admin-tier configuration, making it difficult to attribute to a non-admin actor without detailed audit logging. This is particularly dangerous in deployments where openclaw skills (see AIID #1368) are used, as a malicious skill could automate this escalation transparently.
Weaknesses (CWE)
CWE-269 — Improper Privilege Management: The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw