PT-2026-33569 · Npm · Openclaw

Publicado

2026-04-07

·

Atualizado

2026-04-07

CVSS v3.1

5.3

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection.

Impact

An unauthenticated remote sender could consume shared pairing capacity and trigger bounded relay/logging work on the Nostr channel. This issue did not grant message decryption, pairing approval, or broader authorization bypass.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: >= 2026.3.22, < 2026.3.31
  • Patched versions: >= 2026.3.31
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • 4ee742174f36b5445703e3b1ef2fbd6ae6700fa4 — verify inbound DM signatures before pairing replies

Release Process Note

The fix shipped in OpenClaw 2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains the fix.
Thanks @smaeljaish771 for reporting.

Correção

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-347

Identificadores relacionados

GHSA-H43V-27WG-5MF9

Produtos afetados

Openclaw