OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
GHSA-4f8g-77mw-3rxc · CVE-2026-42429
Published · Modified
Description
Impact
Gateway plugin HTTP auth: gateway widens identity-bearing operator.read requests into runtime operator.write.
Plugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
2026.1.29 - Patched versions:
2026.4.8
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @smaeljaish771 for reporting.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42429
- WEB https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication
Ready to move
Start Securing
Free, no credit card | First findings in minutes