PT-2026-25470 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths.
Details
In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via DM pairing could satisfy group sender allowlist checks without being explicitly present in
groupAllowFrom.This is an authorization-policy boundary issue between DM pairing and group allowlists.
Affected Packages / Versions
openclaw(npm): affected<= 2026.2.25(latest published npm version at triage time)openclaw(npm): patched>= 2026.2.26(planned next release)
Fix Commit(s)
openclaw/openclaw@8bdda7a651c21e98faccdbbd73081e79cffe8be0openclaw/openclaw@051fdcc428129446e7c084260f837b7284279ce9
Release Process Note
patched versions is pre-set to the planned next release (2026.2.26) so once npm release is published, maintainers can publish the advisory without additional metadata edits.Maintainer Timeline Note
Maintainers landed the initial fix before this report was filed; this report still provided useful independent confirmation of the issue class and exploit path.
OpenClaw thanks @tdjackey for reporting.
Fix
Improper Authorization
Path traversal
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw