logoalt Hacker News

steipetelast Friday at 5:58 PM8 repliesview on HN

OpenClaw creator here.

This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."

The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.

So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.

This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.

The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

Replies

nightpoollast Friday at 6:25 PM

Can you speak a little bit more to the stats in the OP?

* 135k+ OpenClaw instances are publicly exposed

* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

Is this accurate? This is definitely a very different picture then the one you paint

show 5 replies
blkslast Friday at 10:31 PM

> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?

show 3 replies
just_oncelast Friday at 7:31 PM

Nvidia, ByteDance, Tencent and OpenAI?! Wow!

show 1 reply
turadgyesterday at 4:25 PM

[dead]

doctorpanglossyesterday at 3:14 AM

[flagged]

show 1 reply
mvdtnzyesterday at 4:04 AM

My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.

show 1 reply
consumer451yesterday at 3:58 AM

I could not stop myself from looking at this user's submission history, looking for a ShowHN about Clawdbot. No such submission exists.

I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.

show 1 reply
SeriousMyesterday at 7:14 AM

[flagged]