PT-2026-30526 · Npm · Openclaw

Publicado

2026-03-26

·

Atualizado

2026-03-26

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Summary

Mattermost interactive callback dispatch could run action handlers before normal sender authorization checks completed.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/mattermost/src/mattermost/interactions.ts now requires callback authorization before dispatching actions.
  • extensions/mattermost/src/mattermost/monitor.ts routes callback authorization through the same sender and allowlist policy used for normal ingress.
OpenClaw thanks @zpbrent for reporting.

Correção

Incorrect Authorization

Improper Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-696CWE-863CWE-285

Identificadores relacionados

GHSA-8883-9W57-VWV6

Produtos afetados

Openclaw