This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the /pair approve plugin command path still called the same approval function without callerScopes, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use chat.send with /pair approve latest to approve a pending device request asking for broader scopes, including operator.admin. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach /pair approve could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script become-agent [cmd ...] that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
Well, such things were to be expected.
It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance.
But at the same time, it's also quite cool that so many people can do interesting IT stuff now.
I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training.
Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something).
But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
256 comments
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the
/pair approveplugin command path still called the same approval function withoutcallerScopes, and the core logic failed open when that parameter was missing.So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use
chat.sendwith/pair approve latestto approve a pending device request asking for broader scopes, includingoperator.admin. In other words: a scope-ceiling bypass from pairing/write-level access to admin.This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach
/pair approvecould hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Currently we're at 1.8 CVEs per day since OpenClaw launched!
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
[0] https://github.com/openclaw/openclaw/security
become-agent [cmd ...] that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
(I’ve never used any of them.)