GHSA-767m-xrhc-fxm7: openclaw: operator.write escalates to admin Telegram config + cron

Published April 7, 2026

CISO Take

An authenticated user with operator.write permissions in openclaw can invoke the send function in ways that bypass the privilege boundary between operator and admin tiers — reaching Telegram configuration (which may contain bot tokens and credentials) and establishing cron-based persistence. The blast radius is constrained by the authentication requirement, but in multi-tenant or multi-role deployments where operator credentials are broadly distributed, this is a real lateral escalation path. This package has 37 CVEs on record, making it a pattern-level concern, not just a one-off bug. Upgrade to openclaw >= 2026.3.28 immediately and audit any Telegram bot configs or cron entries created since 2026.3.24.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk, constrained by the authentication prerequisite. An attacker needs valid operator.write credentials first — meaning insider threat or compromised operator session is the realistic entry point. However, the destination (admin Telegram config + cron persistence) is high-value: Telegram bot tokens enable out-of-band exfiltration and cron jobs survive restarts. The 37-CVE history on this package and the Bitdefender-documented skills abuse (AIID #1368) suggest openclaw's security track record warrants elevated skepticism. No CVSS, no EPSS, not in KEV — risk is real but operationally contained.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.3.24	`2026.3.28`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw npm package to >= 2026.3.28 immediately.
Audit Telegram bot configurations for unauthorized entries or token changes since 2026.3.24.
Review cron job configurations for any unexpected additions on systems running openclaw.
Rotate Telegram bot tokens if any operator-tier access has been granted to untrusted parties.
Enforce least-privilege: validate that operator.write cannot call send in ways that bridge to admin-tier resources post-patch.
Monitor agent invocation logs for operator.write → send → admin-config patterns as a detection rule.

Classification

Auth Bypass Data Leakage Agent AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0110 - AI Agent Tool Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems safely

OWASP LLM Top 10

LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious openclaw skills exfiltrating credentials via the same ecosystem; this CVE's path from operator.write to admin Telegram config is a direct privilege-escalation enabler for the same class of credential harvesting attack Bitdefender documented.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Telegram config or cron persistence bug, but it is an authenticated sink-specific escalation and high is too high given the narrower scope. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `b7d70ade3b9900dbe97bd73be9c02e924ff3c986` — 2026-03-25T12:12:09-06:00 ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zpbrent for reporting.

Exploitation Scenario

A threat actor with operator.write credentials (obtained via phishing, leaked API key, or malicious third-party skill in the openclaw ecosystem) invokes the send function with a crafted payload that routes through the privilege boundary to the admin-class Telegram configuration handler. The actor modifies or reads the Telegram bot token, enabling silent exfiltration of agent messages. Simultaneously, they inject a cron job that re-establishes operator.write access on a schedule, ensuring persistence even if the session is revoked. This mirrors the AIID #1368 pattern where openclaw skills were weaponized for credential harvesting via the same ecosystem.