CVE-2026-22172: Any OpenClaw User Could Become Admin

Any authenticated OpenClaw user could elevate themselves to full administrator. Not by chaining together obscure bugs, not by pulling in a specialist exploit kit, but by telling the system they were an admin during the initial connection and having the gateway accept it.

TL;DR: CVE-2026-22172 is a critical OpenClaw vulnerability in the WebSocket handshake. A logged-in user could declare admin-level scope during connection setup, and affected versions would trust it. Patch to v2026.3.12 or later immediately.

What Happened

OpenClaw uses WebSocket connections to link devices, agents, and services to the gateway. During the handshake, the client and server establish identity and permission scope.

The problem was brutally simple: the client could declare its own scope, including full administrator access, and the server did not properly verify it before accepting the session.

The easiest way to think about it is a security desk that asks you to write your own badge and never checks it against the employee list. If you wrote admin, the system treated you like admin.

This was not an unauthenticated internet drive-by bug. The attacker needed valid authentication first. But once they had a legitimate account, privilege escalation was straightforward.

No exploit framework. No novel research. Just a modified connection request during the WebSocket handshake.

Why This One Matters More

Reports tied the issue to a CVSS 9.9 severity score, which puts it in the most critical class of disclosed OpenClaw flaws.

Why so high?

• Low complexity: the exploit path is simple.
• High impact: successful abuse yields administrator scope.
• Realistic exposure: many OpenClaw deployments are internet-reachable or shared among multiple authenticated users.

If your OpenClaw gateway is exposed to the public internet, or if multiple collaborators, contractors, or tools have authenticated access, the blast radius is obvious: one ordinary account could become the account that controls everything.

On an OpenClaw deployment, that can mean:

• connected agents
• automation workflows
• tool permissions
• filesystem access paths
• business data moving through the gateway

In other words, this is not just a broken role flag. It is a control-plane failure.

What To Do Right Now

1. Check your exact version

Do not guess. Verify the running version of OpenClaw and make sure it is v2026.3.12 or later.

2. Patch immediately if you are behind

This is not a maintenance-window issue. If you are running an affected version, update now.

3. Audit who has authenticated access

Because this bug required valid authentication, review every user, collaborator, service, and integration that can log in. Remove anything you do not actively need.

4. Reduce public exposure

If your gateway is reachable from the open internet, add another control layer:

• Tailscale
• VPN-only access
• IP allowlists
• reverse-proxy access controls

Patching the bug matters. Reducing exposure matters too.

Key Takeaways

• CVE-2026-22172 is a critical privilege-escalation flaw in the OpenClaw WebSocket handshake.
• Any authenticated user could claim admin scope on affected versions if the server trusted the client-declared scope.
• The fix is in v2026.3.12 or later. Check the exact version, not just the month or major release.
• This is a control-plane problem, not a cosmetic permissions bug. Successful abuse can expose every connected agent and workflow on the gateway.
• Patch plus exposure reduction is the right response. Updating is necessary; reducing who can reach the gateway is the second half of the fix.

OpenClaw is powerful because it concentrates access. That is exactly why permission-boundary failures matter so much. If the system lets users define their own authority during connection setup, every other safety control downstream becomes less meaningful.