![[openclaw] OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval](/assets/images/github_com_1772501086279.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[openclaw] OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval**
Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessions_spawn / sessions_send and pivot into creating or controlling agent sessions. ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. Perform cross-session message injection via sessions_send...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessions_spawn / sessions_send and pivot into creating or controlling agent sessions. ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. Perform cross-session message injection via sessions_send...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.