PT-2026-25492 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
Summary
A trusted-proxy Control UI pairing bypass accepted
client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods.Impact
With trusted-proxy authentication enabled, a
node role websocket client could skip pairing by using client.id=control-ui. That created an authorization boundary bypass from a node-scoped connection into node event execution flows.Affected Packages / Versions
- Package:
openclaw(npm) - Affected range:
<= 2026.2.24 - Latest published vulnerable version:
2026.2.24 - Patched in next release:
2026.2.25(pre-set below so this advisory is ready to publish after npm release)
Fix
The trusted-proxy Control UI bypass now additionally requires
role === "operator".Fix Commit(s)
ec45c317f5d0631a3d333b236da58c4749ede2a3
Release Process Note
patched versions is intentionally pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.2.25` is published, the remaining GHSA action is to publish this advisory.OpenClaw thanks @tdjackey for reporting.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw