Skip to content

OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing

High severity GitHub Reviewed Published Mar 29, 2026 in openclaw/openclaw

Package

npm openclaw (npm)

Affected versions

<= 2026.3.24

Patched versions

2026.3.28

Description

Summary

ACP-only provenance fields in chat.send were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.

Impact

A normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge.

Affected Component

src/gateway/server-methods/chat.ts, src/gateway/server/ws-connection/message-handler.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 4b9542716c (Gateway: require verified scope for chat provenance).

References

@steipete steipete published to openclaw/openclaw Mar 29, 2026
Published to the GitHub Advisory Database Mar 31, 2026
Reviewed Mar 31, 2026

Severity

High

EPSS score

Weaknesses

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. Learn more on MITRE.

Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-6xg4-82hv-cp6f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.