PT-2026-25129 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
8.6
Alta
| Vetor | AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Summary
A paired node device could reconnect with spoofed
platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.25 - Latest published version at update time:
2026.2.25 - Patched version (pre-set for next release):
2026.2.26
Impact
In configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform.
Fix
- Add device-auth payload
v3that signs normalizedplatformanddeviceFamily. - Verify
v3first (fallback tov2for compatibility), while pinning paired metadata server-side. - Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata.
- Add regression coverage for reconnect spoof attempts.
Fix Commit(s)
7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a
Release Process Note
patched versions is pre-set to the planned next release 2026.2.26; once that npm release is published, the advisory can be published without further field edits.OpenClaw thanks @76embiid21 for reporting.
Correção
Incorrect Authorization
Authentication Bypass by Spoofing
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw