HN

Need help?
<- Back
OpenClaw privilege escalation vulnerability

OpenClaw privilege escalation vulnerability

kykeonaut

Comments (182)

  • steipete
    OpenClaw creator here.This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
  • chatmasta
    I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?(I’ve never used any of them.)
  • Meneth
    Text of the post has been [removed]. Original saved here: https://web.archive.org/web/20260403163241/https://old.reddi...
  • petcat
    I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
  • reenorap
    The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
  • niwtsol
    Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
  • Leomuck
    Well, such things were to be expected. It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance. But at the same time, it's also quite cool that so many people can do interesting IT stuff now. I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training. Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something). But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
  • Simon321
    Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
  • earnesti
    I don't think enabling admin on open internet is a default behaviour by any means?
  • rvz
    OpenClaw has over 400+ security issues and vulnerabilities. [0]Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.[0] https://github.com/openclaw/openclaw/security
  • kube-system
    If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
  • anon
    undefined
  • sva_
    > 4. System grants admin because it never checks if you are authorized to grant adminShipping at the speed of inference for real.
  • ritcgab
    Isn't OpenClaw itself a privilege escalation?
  • throwatdem12311
    Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).This is bad.
  • rossjudson
    With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
  • redoh
    [dead]
  • sunaookami
    Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
  • machinecontrol
    The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.Too much focus on shipping features, not enough attention to stability and security.As the code base grows exponentially, so does the security vulnerability surface.
  • jeremie_strand
    [dead]
  • hyperlambda
    [flagged]
  • dang
    [stub for offtopicness and general piling-on behavior, which we don't want on this site][[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]][[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
  • roangeller
    [flagged]
  • RodMiller
    [dead]
  • n1tro_lab
    [flagged]
  • gloosx
    [flagged]
  • gos9
    Really? Posting AI generated Reddit post with no sources or anything?
  • blharr
    [flagged]
  • throwpoaster
    The Ludditism in this thread, and the linked thread, is shocking.