CVE-2026-62186 in OpenClawinfo

Summary

by MITRE • 07/14/2026

OpenClaw versions before 2026.6.8 contain an authorization bypass vulnerability in OpenAI-compatible HTTP model overrides that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to bypass admin authorization policies and execute restricted operations.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability identified in OpenClaw versions prior to 2026.6.8 represents a critical authorization bypass flaw that undermines the security posture of the system through improper access control mechanisms. This issue specifically affects the OpenAI-compatible HTTP model overrides functionality where the authorization checks fail to properly validate caller credentials and trust levels. The vulnerability stems from insufficient input validation and authorization enforcement within the API endpoint handling model configuration overrides, creating a pathway for unauthorized access that bypasses established administrative security policies.

The technical implementation flaw manifests in how the system processes HTTP requests containing model override parameters that should require administrative privileges. When legitimate administrative operations are performed through the OpenAI-compatible interface, the authorization logic fails to properly authenticate and authorize lower-trust callers who may have manipulated input paths or parameters to gain access to restricted functionality. This misconfiguration creates a direct bypass of the intended access control mechanisms that would normally prevent unauthorized users from executing privileged operations.

The operational impact of this vulnerability extends beyond simple unauthorized access as it enables attackers to perform actions that should be restricted to administrators and high-privilege users. Attackers can leverage this flaw to modify model configurations, access sensitive data through overridden parameters, or potentially escalate their privileges within the system. The vulnerability is particularly concerning because it operates at the HTTP interface level where many administrative functions are exposed, making it difficult to detect unauthorized activities that may appear as legitimate operations.

This authorization bypass vulnerability aligns with CWE-285 which addresses improper authorization in software systems and relates to ATT&CK technique T1078 for valid accounts and T1566 for credential access through exploitation of weak authentication mechanisms. The flaw represents a failure in the principle of least privilege where users with lower trust levels can perform operations that should require higher security clearance. The attack surface is further expanded by the fact that OpenAI-compatible interfaces often provide extensive functionality that may not be properly secured against unauthorized access attempts.

Organizations using affected OpenClaw versions should immediately implement mitigations including patching to version 2026.6.8 or later, implementing additional input validation controls, and strengthening authorization policies for HTTP model override endpoints. Network segmentation and monitoring of API endpoints can help detect suspicious activities while enforcing strict access controls that validate caller identity before allowing any administrative operations. The vulnerability serves as a reminder of the critical importance of proper authorization enforcement in distributed systems where multiple interfaces may expose sensitive functionality to different trust levels.

Responsible

VulnCheck

Reservation

07/13/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!