AI Threat Alert AI Threat Alert

GHSA-h2v7-xc88-xx8c: openclaw: operator scope bypass in phone arm/disarm cmds

GHSA-h2v7-xc88-xx8c MEDIUM
Published April 7, 2026
CISO Take

OpenClaw's `/phone arm` and `/phone disarm` slash commands fail to enforce the `operator.admin` scope requirement when invoked through external channels, allowing any authenticated user — regardless of privilege level — to arm or disarm phone integrations. This is a CWE-285 Improper Authorization defect in an AI agent framework that already carries 37 CVEs, signaling a systemic authorization hygiene problem rather than an isolated edge case. No active exploitation has been confirmed and the flaw is not in CISA KEV, but the blast radius extends to any OpenClaw deployment that exposes external channel integrations with mixed user privilege tiers. Upgrade to `openclaw >= 2026.3.28` immediately; if patching is not immediately feasible, restrict external channel access at the network or API gateway level and audit logs for anomalous `/phone arm` or `/phone disarm` calls from non-admin identities.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Medium risk overall. The vulnerability requires an authenticated session but no elevated privileges — any user with access to an external channel can trigger privileged phone operations. The absence of EPSS data and public exploits lowers urgency, but the breadth of OpenClaw deployments in enterprise AI agent stacks and the package's history (37 CVEs) increases organizational exposure. The fix was shipped 11 days after the commit and is publicly tagged, reducing window for exploitation now that the advisory is public.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.3.24 2026.3.28

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Patch: Upgrade `openclaw` to `>= 2026.3.28` (npm). The fix commit is `aa66ae1fc797d3298cc409ed2c5da69a89950a45`.
  2. Workaround: If upgrade is blocked, restrict access to external channels at the reverse proxy or API gateway layer to `operator.admin`-equivalent identities only.
  3. Detection: Query application logs for `/phone arm` or `/phone disarm` commands issued by non-admin user identities on external channel endpoints; alert on any match prior to the patch date.
  4. Audit: Given 37 CVEs in this package, conduct a broader authorization audit of other privileged commands exposed via external channels.

Classification

Auth Bypass Agent Plugin AML.T0012 AML.T0049 AML.T0053

Compliance Impact

This CVE is relevant to:

ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN 1.1 - Policies and processes for AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

Both this CVE and AIID #1368 exploit failures in OpenClaw's trust and authorization model — the incident involved malicious skills bypassing ecosystem trust controls in the same package, and this CVE demonstrates a parallel pattern where scope enforcement is absent on external channel command paths. The systemic authorization weakness across OpenClaw components makes the failure modes directly related.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `aa66ae1fc797d3298cc409ed2c5da69a89950a45` — 2026-03-27T20:35:42Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting.

Exploitation Scenario

An attacker with a low-privilege account in an organization's OpenClaw-backed AI assistant (e.g., a general employee using a Slack integration) issues `/phone disarm` via the external Slack channel. Because the `operator.admin` scope check is not enforced on external channel requests, the command executes successfully. The attacker can disable phone routing for an AI-driven support or incident response pipeline — silencing inbound alerts or customer calls — without any administrator credentials. In a targeted attack, this could be chained with a separate incident to suppress AI-automated alerting at a critical moment.

Weaknesses (CWE)

CWE-285 Improper Authorization Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed