PT-2026-31358 · Npm · Openclaw

Publicado

2026-03-29

·

Atualizado

2026-03-29

CVSS v4.0

5.3

Média

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Gateway HTTP Session History Route Bypasses Operator Read Scope

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

The HTTP /sessions/:sessionKey/history route previously authenticated bearer tokens but skipped the same operator.read check used by chat.history over WebSocket. Commit 1c45123231516fa50f8cf8522ba5ff2fb2ca7aea makes HTTP callers declare operator scopes and rejects history reads that do not include operator.read.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit 1c45123231516fa50f8cf8522ba5ff2fb2ca7aea.

Fix Commit(s)

  • 1c45123231516fa50f8cf8522ba5ff2fb2ca7aea

Correção

IDOR

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-639CWE-863

Identificadores relacionados

GHSA-5JVJ-HXMH-6H6J

Produtos afetados

Openclaw