PT-2026-37329 · Npm · Openclaw
Publicado
2026-04-25
·
Atualizado
2026-04-25
CVSS v4.0
2.3
Baixa
| Vetor | AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.
This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.
Fix
Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.
Fix commit:
5a12f30441d5b0b151f550daa2c5c9e8db61e2e6
Release
Fixed in OpenClaw
2026.4.20.Correção
Incorrect Authorization
Improper Access Control
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw