VDB
EN
HIGH 8.8

GHSA-r7vr-gr74-94p8

OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces

상세

### Summary

OpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.

### Impact

This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.

### Affected versions

`openclaw` `<= 2026.3.11`

### Patch

Fixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / openclaw
최초 영향 버전: 0 수정 버전: 2026.3.12
수정 npm install openclaw@2026.3.12

참고