Missing Authorization Affecting openclaw package, versions <2026.4.21
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-OPENCLAW-16322615
- published30 Apr 2026
- disclosed29 Apr 2026
- creditzsxsoft
Introduced: 29 Apr 2026
New CVE NOT AVAILABLE CWE-862 (opens in a new tab)How to fix?
Upgrade openclaw to version 2026.4.21 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Missing Authorization via the command-auth.ts process. An attacker can gain unauthorized access to owner-enforced commands by sending commands from a non-owner sender when a channel plugin enforces owner-only commands, the channel accepts wildcard inbound senders, and no explicit owner allow list is configured. This is only exploitable if the channel plugin has commands.enforceOwnerForCommands set to true, allowFrom includes a wildcard ("*"), and commands.ownerAllowFrom is not explicitly set.
Workaround
This vulnerability can be mitigated by avoiding wildcard or open-DM sender policies on owner-enforced channels, or by configuring commands.ownerAllowFrom to specify intended owner identities.