PT-2026-25100 — Npm Openclaw

PT-2026-25100 · Npm · Openclaw

Publicado

2026-03-02

Atualizado

2026-03-02

CVSS v4.0

6.9

Média

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists.

Impact

This is a policy-bypass issue within the paired-node trust boundary and can expand node command availability beyond intended defaults.

Fix

Node metadata canonicalization was hardened against confusables, and unknown platform defaults were made conservative (excluding system.run and system.which unless explicitly allowlisted).

Affected and Patched Versions

Affected: <= 2026.2.26
Patched: 2026.3.1

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-436CWE-176

Identificadores relacionados

GHSA-392F-GGF5-FP3C

Produtos afetados

Openclaw