PT-2026-32314 · Npm · Openclaw
Publicado
2026-04-03
·
Atualizado
2026-04-03
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
Summary
HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: This is a real trusted-proxy HTTP CSRF or browser-origin gap in released tags, but it is not critical because it depends on identity-bearing trusted-proxy browser deployments rather than the shared-secret HTTP operator model.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d— 2026-03-31T19:49:26+09:00
OpenClaw thanks @AntAISecurityLab for reporting.
Correção
CSRF
Origin Validation Error
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw