PT-2026-33578 · Npm · Openclaw
Publicado
2026-04-07
·
Atualizado
2026-04-07
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Summary
Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.
Impact
This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.26, < 2026.3.31 - Patched versions:
>= 2026.3.31 - Latest published npm version:
2026.4.1
Fix Commit(s)
9bc1f896c8cd325dd4761681e9bdb8c425f69785— scope pending request caps per account
Release Process Note
The fix shipped in OpenClaw
2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains the fix.Thanks @smaeljaish771 for reporting.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw