VDB
KO
HIGH 8.8

GHSA-r7vr-gr74-94p8

OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces

Details

### Summary

OpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.

### Impact

This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.

### Affected versions

`openclaw` `<= 2026.3.11`

### Patch

Fixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0 Fixed in: 2026.3.12
Fix npm install openclaw@2026.3.12

References