PT-2026-35594 · Npm · Openclaw
Publicado
2026-04-17
·
Atualizado
2026-04-17
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Summary
Empty approver lists could grant explicit approval authorization.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.12 - Patched versions:
>= 2026.4.12
Impact
For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id.
Technical Details
The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders.
Fix
The issue was fixed in #65714. The first stable tag containing the fix is
v2026.4.12, and openclaw@2026.4.14 includes the fix.Fix Commit(s)
0a105c0900de701d2ee9f1abc96b017afbd0afdd- PR: #65714
Release Process Note
Users should upgrade to
openclaw 2026.4.12 or newer. The latest npm release, 2026.4.14, already includes the fix.Credits
Thanks to @anshumanbh for reporting this issue.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw