PT-2026-35632 · Npm · Openclaw
Publicado
2026-04-17
·
Atualizado
2026-04-17
CVSS v4.0
2.3
Baixa
| Vetor | AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
Delivery queue recovery could lose group tool-policy context for media replay.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.4.10 < 2026.4.14 - Patched versions:
>= 2026.4.14
Impact
Recovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery.
Technical Details
The fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks.
Fix
The issue was fixed in #66025. The first stable tag containing the fix is
v2026.4.14, and openclaw@2026.4.14 includes the fix.Fix Commit(s)
48aae82bbc19ba8b0741e61a08063eb0d1df464e- PR: #66025
Release Process Note
Users should upgrade to
openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw