PT-2026-37320 · Npm · Openclaw
Publicado
2026-04-25
·
Atualizado
2026-04-25
CVSS v4.0
1.7
Baixa
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U |
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without
trusted: false. That made the event render as a trusted System: event instead of an untrusted system event.This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low.
Fix
OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers.
Fix commit:
f61896b03cc7031f51106a04566831f4ac2a0bd7
Release
Fixed in OpenClaw
2026.4.20.Correção
Insufficient Verification of Data Authenticity
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw