PT-2026-30549 · Npm · Openclaw

Publicado

2026-03-26

·

Atualizado

2026-03-26

CVSS v3.1

5.9

Média

VetorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Summary

Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user id recorded by the webhook event.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 7ade3553b74ee3f461c4acd216653d5ba411f455

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/synology-chat/src/webhook-handler.ts now keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.
  • extensions/synology-chat/src/config-schema.ts contains the explicit dangerous opt-in seam instead of silent username rebinding.
OpenClaw thanks @nexrin for reporting.

Correção

IDOR

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-807CWE-706CWE-639

Identificadores relacionados

GHSA-WV46-V6XC-2QHF

Produtos afetados

Openclaw