GHSA-r7vr-gr74-94p8
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces
Details
### Summary
OpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.
### Impact
This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8 [WEB]
- https://github.com/openclaw/openclaw/pull/44305 [WEB]
- https://github.com/openclaw/openclaw/commit/08aa57a3de37d337b226ae861f573779f112ff2e [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12 [WEB]