PT-2026-25429 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including
operator.admin) before pairing approval, enabling privilege escalation.Impact
Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired device identity.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
>= 2026.2.22 <= 2026.2.24 - Latest published npm at triage time:
2026.2.24 - Planned patched release:
2026.2.25
Remediation
Require pairing for operator device-identity sessions authenticated with shared token/password auth (except existing control-ui trusted-proxy/control-ui bypass policy paths).
Fix Commit(s)
8d1481cb4a9d31bd617e52dc8c392c35689d9dea
Release Process Note
patched versions is pre-set to the release (>= 2026.2.25). Advisory published with npm release 2026.2.25.OpenClaw thanks @tdjackey for reporting.
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw