![[openclaw] OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces](/assets/images/github_com_1773619483361.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 2
[openclaw] OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces
By GitHub2026๋
3์ 14์ผ
**[openclaw] OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces**
Summary OpenClaw documented /config and /debug as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces. Impact This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners. Affected versions openclaw <= 2026.3.11 Patch Fixed in openclaw 2026.3.12. Owner checks are now enforced for privileged command surfaces, and regression tests cover /config and /debug access control...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary OpenClaw documented /config and /debug as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces. Impact This allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners. Affected versions openclaw <= 2026.3.11 Patch Fixed in openclaw 2026.3.12. Owner checks are now enforced for privileged command surfaces, and regression tests cover /config and /debug access control...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.