PT-2026-30540 · Npm · Openclaw

Published

2026-03-26

·

Updated

2026-03-26

CVSS v4.0

2.3

Low

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 3cbf932413e41d1836cb91aed1541a28a3122f93

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/tlon/src/monitor/index.ts now honors explicit empty allowlists as authoritative deny-all configuration.
  • extensions/tlon/src/monitor/settings-helpers.test.ts ships regression coverage for explicit empty settings allowlists.
Thanks @zpbrent for reporting.

Fix

Improper Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-863

Related Identifiers

GHSA-PW7H-9G6P-C378

Affected Products

Openclaw