PT-2026-25475 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N |
Summary
Gateway plugin route auth protection for
/api/channels could be bypassed using encoded dot-segment traversal (for example ..%2f) in path variants that plugin handlers normalize.Affected Packages / Versions
- Package: npm
openclaw - Latest published vulnerable version:
2026.2.25 - Vulnerable version range:
<= 2026.2.25 - Patched version:
2026.2.26(planned next release)
Impact
Under affected versions, crafted alternate paths could bypass gateway auth checks for protected plugin channel routes when plugin handlers decode/canonicalize the incoming path and then route to
/api/channels/... handlers.Fix Commit(s)
258d615c45527ffda37cecd08cd268f97461bde0
Release Process Note
patched versions is pre-set to the planned next release (2026.2.26). After npm publish, maintainers only need to publish the advisory.OpenClaw thanks @zpbrent for reporting.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw