PT-2026-30776 · Npm · Openclaw
Published
2026-03-27
·
Updated
2026-03-27
CVSS v4.0
9.4
Critical
| Vector | AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Summary
Gateway local shared-auth reconnect silently widens paired device scope from operator.read to operator.admin and reach node RCE
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Silent local shared-auth reconnects could previously auto-approve
scope-upgrade requests and widen a paired device from operator.read to operator.admin. Commit 81ebc7e0344fd19c85778e883bad45e2da972229 blocks silent reconnect scope upgrades so widened scopes require an explicit pairing approval instead of an implicit local reconnect path.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 81ebc7e0344fd19c85778e883bad45e2da972229.Fix Commit(s)
81ebc7e0344fd19c85778e883bad45e2da972229
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw