PT-2026-31366 · Npm · Openclaw

Publicado

2026-03-29

·

Atualizado

2026-03-29

Nenhuma

Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.

Summary

session status sessionId resolution bypasses sandboxed session-tree visibility

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: >= 2026.3.11, <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

session status previously resolved a sessionId to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit sessionKey. Commit d9810811b6c3c9266d7580f00574e5e02f7663de enforces visibility after sessionId resolution so sandboxed callers cannot escape their session tree.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit d9810811b6c3c9266d7580f00574e5e02f7663de.

Fix Commit(s)

  • d9810811b6c3c9266d7580f00574e5e02f7663de

IDOR

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-639CWE-863

Identificadores relacionados

GHSA-Q2QC-744P-66R2

Produtos afetados

Openclaw