PT-2026-32064 — Authentication Bypass by Spoofing em Npm Openclaw

PT-2026-32064 · Npm · Openclaw

Publicado

2026-03-31

Atualizado

2026-03-31

Nenhuma

Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.

Summary

ACP-only provenance fields in chat.send were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.

Impact

A normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge.

Affected Component

src/gateway/server-methods/chat.ts, src/gateway/server/ws-connection/message-handler.ts

Fixed Versions

Affected: <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 4b9542716c (Gateway: require verified scope for chat provenance).

Authentication Bypass by Spoofing

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-290CWE-807

Identificadores relacionados

GHSA-6XG4-82HV-CP6F

Produtos afetados

Openclaw