GHSA-h2v7-xc88-xx8c: openclaw: operator scope bypass in phone arm/disarm cmds
GHSA-h2v7-xc88-xx8c MEDIUMOpenClaw's `/phone arm` and `/phone disarm` slash commands fail to enforce the `operator.admin` scope requirement when invoked through external channels, allowing any authenticated user — regardless of privilege level — to arm or disarm phone integrations. This is a CWE-285 Improper Authorization defect in an AI agent framework that already carries 37 CVEs, signaling a systemic authorization hygiene problem rather than an isolated edge case. No active exploitation has been confirmed and the flaw is not in CISA KEV, but the blast radius extends to any OpenClaw deployment that exposes external channel integrations with mixed user privilege tiers. Upgrade to `openclaw >= 2026.3.28` immediately; if patching is not immediately feasible, restrict external channel access at the network or API gateway level and audit logs for anomalous `/phone arm` or `/phone disarm` calls from non-admin identities.
What is the risk?
Medium risk overall. The vulnerability requires an authenticated session but no elevated privileges — any user with access to an external channel can trigger privileged phone operations. The absence of EPSS data and public exploits lowers urgency, but the breadth of OpenClaw deployments in enterprise AI agent stacks and the package's history (37 CVEs) increases organizational exposure. The fix was shipped 11 days after the commit and is publicly tagged, reducing window for exploitation now that the advisory is public.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.3.24 | 2026.3.28 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
4 steps-
Patch: Upgrade
openclawto>= 2026.3.28(npm). The fix commit isaa66ae1fc797d3298cc409ed2c5da69a89950a45. -
Workaround: If upgrade is blocked, restrict access to external channels at the reverse proxy or API gateway layer to
operator.admin-equivalent identities only. -
Detection: Query application logs for
/phone armor/phone disarmcommands issued by non-admin user identities on external channel endpoints; alert on any match prior to the patch date. -
Audit: Given 37 CVEs in this package, conduct a broader authorization audit of other privileged commands exposed via external channels.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-h2v7-xc88-xx8c?
OpenClaw's `/phone arm` and `/phone disarm` slash commands fail to enforce the `operator.admin` scope requirement when invoked through external channels, allowing any authenticated user — regardless of privilege level — to arm or disarm phone integrations. This is a CWE-285 Improper Authorization defect in an AI agent framework that already carries 37 CVEs, signaling a systemic authorization hygiene problem rather than an isolated edge case. No active exploitation has been confirmed and the flaw is not in CISA KEV, but the blast radius extends to any OpenClaw deployment that exposes external channel integrations with mixed user privilege tiers. Upgrade to `openclaw >= 2026.3.28` immediately; if patching is not immediately feasible, restrict external channel access at the network or API gateway level and audit logs for anomalous `/phone arm` or `/phone disarm` calls from non-admin identities.
Is GHSA-h2v7-xc88-xx8c actively exploited?
No confirmed active exploitation of GHSA-h2v7-xc88-xx8c has been reported, but organizations should still patch proactively.
How to fix GHSA-h2v7-xc88-xx8c?
1. Patch: Upgrade `openclaw` to `>= 2026.3.28` (npm). The fix commit is `aa66ae1fc797d3298cc409ed2c5da69a89950a45`. 2. Workaround: If upgrade is blocked, restrict access to external channels at the reverse proxy or API gateway layer to `operator.admin`-equivalent identities only. 3. Detection: Query application logs for `/phone arm` or `/phone disarm` commands issued by non-admin user identities on external channel endpoints; alert on any match prior to the patch date. 4. Audit: Given 37 CVEs in this package, conduct a broader authorization audit of other privileged commands exposed via external channels.
What systems are affected by GHSA-h2v7-xc88-xx8c?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, voice and telephony AI integrations, external channel connectors (Slack, Teams, webhooks).
What is the CVSS score for GHSA-h2v7-xc88-xx8c?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `aa66ae1fc797d3298cc409ed2c5da69a89950a45` — 2026-03-27T20:35:42Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting.
Exploitation Scenario
An attacker with a low-privilege account in an organization's OpenClaw-backed AI assistant (e.g., a general employee using a Slack integration) issues `/phone disarm` via the external Slack channel. Because the `operator.admin` scope check is not enforced on external channel requests, the command executes successfully. The attacker can disable phone routing for an AI-driven support or incident response pipeline — silencing inbound alerts or customer calls — without any administrator credentials. In a targeted attack, this could be chained with a separate incident to suppress AI-automated alerting at a critical moment.
Weaknesses (CWE)
CWE-285 — Improper Authorization: The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw