76Embiid21

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.26 **Description** OpenClaw is affected by a metadata spoofing issue. The reconnect platform and deviceFamily fields are accepted from the client without being included in the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands. The issue occurs because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature. **Recommendations** Versions prior to 2026.2.26 should be updated to version 2026.2.26 or later. Add device-auth payload `v3` that signs normalized `platform` and `deviceFamily`. Verify `v3` first (fallback to `v2` for compatibility), while pinning paired metadata server-side. Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata. Add regression coverage for reconnect spoof attempts.

**Name of the Vulnerable Software and Affected Versions** dottie versions 2.0.4 through 2.0.6 **Description** dottie is a JavaScript library for nested object access and manipulation. Versions 2.0.4 through 2.0.6 contain an incomplete fix for a prototype pollution issue. The prototype pollution guard only validates the first segment of a dot-separated path, allowing attackers to bypass the protection by placing ` proto ` at any position other than the first. The `dottie.set()` and `dottie.transform()` functions are affected. Versions prior to 2.0.4 are vulnerable due to insufficient checks within the `set()` function and the current variable in the `/dottie.js` file. **Recommendations** Update to dottie version 2.0.7 or later.