CVE-2026-22172: OpenClaw WebSocket Authorization Bypass
OpenClaw has patched a critical authorization bypass vulnerability tracked as CVE-2026-22172, carrying a CVSS score of 9.9. The flaw resides in the WebSocket connect path and allows any user with shared-token or password-authenticated access to self-declare elevated permission scopes without server-side validation — effectively granting themselves administrator-level access to the platform.
All OpenClaw versions prior to 2026.3.12 are affected. Upgrading to 2026.3.12 or later is the only complete remediation.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-22172 |
| CVSS Score | 9.9 (Critical) |
| Affected Versions | OpenClaw < 2026.3.12 |
| Patched Version | OpenClaw 2026.3.12 |
| CWE | CWE-639: Authorization Bypass Through User-Controlled Key |
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication Required | Low (shared-token or password auth) |
| User Interaction | None |
| Disclosure Date | March 20, 2026 |
Technical Analysis
Root Cause
The vulnerability exists in how OpenClaw processes the WebSocket connection handshake. During the connect phase, the client-supplied payload includes a scopes field that declares the permissions the session should operate under. In versions prior to 2026.3.12, the server-side handler accepted and trusted these client-declared scopes without binding them to the server's stored record of the authenticated identity's actual permission set.
This is a classic client-supplied privilege escalation flaw: the server should derive and enforce permission scopes from its own authoritative data store, never from attacker-controllable input.
Attack Flow
1. Attacker authenticates with any valid shared-token or password credential
— even a low-privilege account (read-only, guest, standard user)
2. Attacker opens a WebSocket connection to the OpenClaw endpoint
3. During the connect handshake, attacker injects an elevated scope claim:
{
"type": "connect",
"token": "<valid_low_priv_token>",
"scopes": ["admin", "write", "delete", "manage_users"]
}
4. Server validates the token as authentic (it is) but fails to check
whether the token's associated identity is authorized for the declared scopes
5. Server binds the session with admin-level permissions as declared
— attacker now operates as a privileged admin user
6. Attacker reads, modifies, or deletes data; creates admin accounts;
exfiltrates credentials or configurationWhy the CVSS Is 9.9
The near-perfect score reflects several compounding factors:
| Factor | Assessment |
|---|---|
| Attack Vector | Network — exploitable remotely, no local access needed |
| Complexity | Low — no race conditions, no special timing, trivially repeatable |
| Privileges Required | Low — any valid account suffices; no admin access needed to start |
| User Interaction | None — fully automated, no victim action required |
| Confidentiality Impact | High — admin sessions can read all data |
| Integrity Impact | High — admin sessions can modify or delete all data |
| Availability Impact | High — admin sessions can destroy the deployment |
The only reason the score is not a full 10.0 is that the attack requires at least minimal authentication (a valid token or password), rather than being fully unauthenticated.
Affected Deployments
| Scenario | Risk Level |
|---|---|
| Self-hosted OpenClaw < 2026.3.12, WebSocket enabled | Critical |
| Self-hosted with WebSocket traffic blocked at network layer | Mitigated |
| Cloud-hosted OpenClaw SaaS (vendor-managed) | Vendor-dependent — verify patch status |
| OpenClaw 2026.3.12 or later | Patched |
Any internet-accessible OpenClaw deployment running a vulnerable version should be treated as potentially compromised pending investigation.
Remediation
Step 1: Upgrade Immediately
The only complete fix is upgrading to OpenClaw 2026.3.12, which adds server-side scope validation that ignores client-declared scopes and derives permissions exclusively from the authenticated identity's server-stored permission record.
# Docker-based deployment
docker pull openclaw/openclaw:2026.3.12
docker-compose up -d
# Package manager (if applicable)
npm update openclaw
# or
pip install --upgrade openclawStep 2: Interim Mitigation (If Upgrade Is Not Immediately Possible)
If an immediate upgrade is not feasible, block or restrict WebSocket access at the network perimeter:
# Nginx — block WebSocket upgrade on the connect path
location /ws/connect {
return 403;
}
# Or restrict to trusted IP ranges only
location /ws/ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}Note: This is a temporary measure only. Upgrade to 2026.3.12 as soon as operationally possible.
Step 3: Audit for Compromise
Review WebSocket connection logs for the connect event with unexpected elevated scope claims:
# Search logs for scope escalation indicators
grep '"scopes"' /var/log/openclaw/websocket.log | \
grep -E '"admin"|"manage_users"|"delete"' | \
grep -v "$(get_known_admin_tokens)"
# Check for suspicious admin-level actions from non-admin accounts
grep "privilege_escalation\|scope_mismatch" /var/log/openclaw/audit.logLook for accounts that performed administrative operations (user creation, config changes, data deletion) that are not expected to hold admin privileges.
Detection
SIEM / Log Query
Detect exploitation attempts by searching for WebSocket connect events where the declared scopes exceed the user's known authorization level:
-- Example query for SIEM platforms
SELECT timestamp, user_id, source_ip, declared_scopes, actual_scopes
FROM websocket_events
WHERE event_type = 'connect'
AND declared_scopes != actual_scopes
AND declared_scopes LIKE '%admin%'
ORDER BY timestamp DESC;Indicators of Compromise
- WebSocket
connectpayloads containingadmin,write,delete, ormanage_usersscopes from non-admin user tokens - Unexpected admin-level API calls (user management, configuration changes, bulk data operations) originating from standard user accounts
- New admin accounts created without a corresponding legitimate administrative session
Key Takeaways
- CVE-2026-22172 is a CVSS 9.9 critical authorization bypass in OpenClaw's WebSocket connect path — any low-privilege user can self-elevate to admin
- The root cause is trusting client-declared permission scopes instead of deriving them server-side from the identity's authoritative record
- All OpenClaw deployments prior to version 2026.3.12 are affected
- Upgrade to 2026.3.12 immediately — interim mitigation by blocking WebSocket access is possible but not a substitute
- Treat any vulnerable internet-accessible deployment as potentially compromised and audit WebSocket logs for unauthorized scope declarations