GHSA-r7vr-gr74-94p8
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces
상세
### Summary
OpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.
### Impact
This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8 [WEB]
- https://github.com/openclaw/openclaw/pull/44305 [WEB]
- https://github.com/openclaw/openclaw/commit/08aa57a3de37d337b226ae861f573779f112ff2e [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12 [WEB]