PT-2026-25470 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
7.1
Alta
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths.
Details
In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via DM pairing could satisfy group sender allowlist checks without being explicitly present in
groupAllowFrom.This is an authorization-policy boundary issue between DM pairing and group allowlists.
Affected Packages / Versions
openclaw(npm): affected<= 2026.2.25(latest published npm version at triage time)openclaw(npm): patched>= 2026.2.26(planned next release)
Fix Commit(s)
openclaw/openclaw@8bdda7a651c21e98faccdbbd73081e79cffe8be0openclaw/openclaw@051fdcc428129446e7c084260f837b7284279ce9
Release Process Note
patched versions is pre-set to the planned next release (2026.2.26) so once npm release is published, maintainers can publish the advisory without additional metadata edits.Maintainer Timeline Note
Maintainers landed the initial fix before this report was filed; this report still provided useful independent confirmation of the issue class and exploit path.
OpenClaw thanks @tdjackey for reporting.
Correção
Path traversal
Incorrect Authorization
Improper Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw