PT-2026-30779 · Npm · Openclaw
Publicado
2026-03-27
·
Atualizado
2026-03-27
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
BlueBubbles group reaction events previously bypassed
requireMention and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit f8c98630785288cc1f1d0893503ef3b653a3cede applies the reaction path to the same mention gate as normal group messages.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit f8c98630785288cc1f1d0893503ef3b653a3cede.Fix Commit(s)
f8c98630785288cc1f1d0893503ef3b653a3cede
Correção
Authentication Bypass Using an Alternate Path or Channel
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw