PT-2026-30781 — Incorrect Privilege Assignment em Npm Openclaw

PT-2026-30781 · Npm · Openclaw

Publicado

2026-03-27

Atualizado

2026-03-27

CVSS v4.0

8.6

Alta

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Summary

Gateway Plugin HTTP auth: "gateway" Mints operator.admin Runtime Scope

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

Gateway-authenticated plugin HTTP routes previously created a runtime scope set that included operator.admin regardless of caller-granted scopes. Commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe keeps plugin HTTP runtime scopes least-privileged and preserves caller scope boundaries.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe.

Fix Commit(s)

ec2dbcff9afd8a52e00de054b506c91726d9fbbe

Correção

Incorrect Privilege Assignment

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-266CWE-863

Identificadores relacionados

GHSA-QM2M-28PF-HGJW

Produtos afetados

Openclaw