Описание
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Summary
In affected versions of openclaw, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using auth: "plugin" could therefore trigger admin-only gateway actions without normal gateway authorization.
Impact
This is a critical authorization bypass. An external unauthenticated request to a plugin-owned route could reach privileged subagent runtime methods and perform admin-only gateway actions such as deleting sessions, reading session data, or triggering agent execution.
Affected Packages and Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.3.7, < 2026.3.11 - Fixed in:
2026.3.11
Technical Details
The new plugin subagent runtime preserved neither the original caller's auth context nor least-privilege scope. Instead, it executed gateway dispatches through a fabricated operator client with administrative scopes, which was reachable from plugin-owned routes that intentionally bypass normal gateway auth so plugins can perform their own webhook verification.
Fix
OpenClaw now preserves real authorization boundaries for plugin subagent calls instead of dispatching them through synthetic admin scopes. The fix shipped in openclaw@2026.3.11.
Workarounds
Upgrade to 2026.3.11 or later.
Пакеты
openclaw
>= 2026.3.7, < 2026.3.11
2026.3.11
9.4 Critical
CVSS3
Дефекты
9.4 Critical
CVSS3