[steipete]

OpenClaw creator here.

This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."

The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.

So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.

This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.

The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

[nightpool]

Can you speak a little bit more to the stats in the OP?

* 135k+ OpenClaw instances are publicly exposed

* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

Is this accurate? This is definitely a very different picture then the one you paint

[stingraycharles]

That’s surprising, as the OpenClaw installation makes it pretty difficult to run without auth and explicit device pairing (I don’t even know if that’s possible).

[bootsmann]

The problem is that a lot of users of OpenClaw use a chatbot to set it up for them so it has a habit of killing safety features if it runs into roadblocks due to user requests. This makes installations super heterogeneous.

[nightpool]

I agree—it looks like the OP didn't provide any sources for these numbers either. That's why I would have hoped that the original maintainer had a better set of metrics to dispute them. It doesn't seem like he does though :(

[ctoth]

Those numbers aren't in the CVE. You introduced them, attributed them to a source that doesn't contain them, and now you're disclaiming them. Where did they come from, and what was the goal of sharing them?

[nightpool]

The numbers were in the post when I clicked through and when I made the comment. It looks like the HN moderators have since changed the link for the post to go to the CVE entry. However, my comment was about the reddit thread, not the CVE entry.

[pacificpendant]

I’m not the person you’re talking to but the stats are copied from the second link in the post, the web archive one.

[steipete]

Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.

[nightpool]

Definitely agree—that's why I hoped the openclaw maintainer would have been able to speak to those numbers and whether or not they were accurate.

[blks]

> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?

[marscopter]

If I am not mistaken steipete works for OpenAI now as part of OpenClaw being acquired by them back in February.

NVIDIA is contributing to the security of OpenClaw via NemoClaw.[0]

Not sure about ByteDance and Tencent.

0. https://www.nvidia.com/en-us/ai/nemoclaw/

[steipete]

They both sponsor the OpenClaw Foundation and provide engineers to improve OpenClaw.

[thejarren]

Jensen mentioned on a podcast (sorry I don’t have a link on me, it was either the all in podcast or Lex Friedman) that they are helping support and harden on the security side, and that he considers it like the “iPhone moment”

Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.

[fg3fgq]

Nvidia is willing to do anything to keep the hype going - there's a desperation to find a 'killer app'.

[just_once]

Nvidia, ByteDance, Tencent and OpenAI?! Wow!

[gigel82]

Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?

[just_once]

Always good to name drop a near universally hated group.

[shaky-carrousel]

Which one? NVIDIA? OpenAI? Bytedance?

[bitdiffusion]

yes

[mvdtnz]

My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.

[RIMR]

Just a heads up that everyone can still see the comment you made on your profile because it wasn't removed by moderator action. It was downvoted to oblivion because it was an attack on another user for using AI.

That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.

I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!

I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.

[mvdtnz]

You're referring to a different comment. This is the comment I left which was removed, word for word,

> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.

[consumer451]

I could not stop myself from looking at this user's submission history, looking for a ShowHN about Clawdbot. No such submission exists.

I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.

[ekianjo]

The hype was entirely manufactured from day 1.

[SeriousM]

[flagged]