CVE-2026-28473
Published: 05 March 2026
Summary
CVE-2026-28473 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to resources, directly preventing the bypass of operator.approvals permission check via the /approve chat command invoking privileged RPC.
AC-25 implements a tamperproof reference monitor that mediates all accesses, ensuring no bypass paths like the internal privileged gateway client.
AC-24 authorizes access to exec.approval.resolve based on valid access control decisions, countering the unauthorized resolution allowed by operator.write scope alone.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authz bypass on network-accessible service enables remote exploitation of public app (T1190) for privilege escalation (T1068) and unauthorized exec/command approvals (T1059).
NVD Description
OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client,…
more
bypassing the operator.approvals permission check that protects direct RPC calls.
Deeper analysisAI
CVE-2026-28473 is an authorization bypass vulnerability (CWE-863) affecting OpenClaw versions prior to 2026.2.2, published on 2026-03-05. It enables clients possessing the operator.write scope to approve or deny exec approval requests by issuing the /approve chat command. This command path invokes the exec.approval.resolve RPC through an internal privileged gateway client, circumventing the operator.approvals permission check that safeguards direct RPC calls. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
An authenticated attacker with operator.write privileges can exploit this issue remotely over the network with low attack complexity and without requiring user interaction. By sending the /approve chat command, they can unauthorizedly resolve exec approval requests, granting them the ability to approve or deny executions that should require the stricter operator.approvals scope. This results in high impacts to integrity (I:H) and availability (A:H), potentially allowing manipulation of critical operations within the OpenClaw environment.
Mitigation is addressed in the referenced GitHub security advisory (GHSA-mqpw-46fh-299h) and the patching commit (efe2a464afcff55bb5a95b959e6bd9ec0fef086e), which resolve the bypass in OpenClaw version 2026.2.2 and later. The Vulncheck advisory (vulncheck.com/advisories/openclaw-authorization-bypass-via-approve-chat-command) provides additional details on the issue and recommends upgrading to the fixed version to prevent exploitation.
Details
- CWE(s)