This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
show comments
sunaookami
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
show comments
sva_
> 4. System grants admin because it never checks if you are authorized to grant admin
Shipping at the speed of inference for real.
niwtsol
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
show comments
reenorap
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
Leomuck
Well, such things were to be expected.
It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance.
But at the same time, it's also quite cool that so many people can do interesting IT stuff now.
I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training.
Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something).
But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
show comments
neya
Someone has to say this, but - If you still continued to use OpenClaw despite multiple top news sites explaining the scope of the previous hacks and why you shouldn't use it, you probably deserved to get hacked
show comments
n1tro_lab
Authorization failed open when a parameter was missing. Same pattern as Langflow. They patched one endpoint, missed another calling the same function. Per-endpoint hardening doesn't scale.
kube-system
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
bigstrat2003
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
Simon321
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
show comments
rvz
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
I don't think enabling admin on open internet is a default behaviour by any means?
pym4n
Guys, OpenClaw is a toy, that's it!
throwatdem12311
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
gos9
Really? Posting AI generated Reddit post with no sources or anything?
show comments
fraywing
Could anyone have predicted that giving an agent free reign of your personal hardware could have resulted in bad things happening? not I /s
show comments
podgorniy
lol
show comments
deadbabe
I have a theory OpenClaw was built deliberately for malicious reasons under the guise of being something cool and useful.
show comments
blharr
Hackernews is now posting links to reddit AI slop posts that I came here to get away from...
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
Text of the post has been [removed]. Original saved here: https://web.archive.org/web/20260403163241/https://old.reddi...
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
> 4. System grants admin because it never checks if you are authorized to grant admin
Shipping at the speed of inference for real.
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
Well, such things were to be expected. It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance. But at the same time, it's also quite cool that so many people can do interesting IT stuff now. I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training. Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something). But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
Someone has to say this, but - If you still continued to use OpenClaw despite multiple top news sites explaining the scope of the previous hacks and why you shouldn't use it, you probably deserved to get hacked
Authorization failed open when a parameter was missing. Same pattern as Langflow. They patched one endpoint, missed another calling the same function. Per-endpoint hardening doesn't scale.
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
[0] https://github.com/openclaw/openclaw/security
I don't think enabling admin on open internet is a default behaviour by any means?
Guys, OpenClaw is a toy, that's it!
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
Really? Posting AI generated Reddit post with no sources or anything?
Could anyone have predicted that giving an agent free reign of your personal hardware could have resulted in bad things happening? not I /s
lol
I have a theory OpenClaw was built deliberately for malicious reasons under the guise of being something cool and useful.
Hackernews is now posting links to reddit AI slop posts that I came here to get away from...