PT-2026-30779 — Authentication Bypass Using an Alternate Path or Channel in Npm Openclaw

PT-2026-30779 · Npm · Openclaw

Published

2026-03-27

Updated

2026-03-27

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

BlueBubbles group reaction events previously bypassed requireMention and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit f8c98630785288cc1f1d0893503ef3b653a3cede applies the reaction path to the same mention gate as normal group messages.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit f8c98630785288cc1f1d0893503ef3b653a3cede.

Fix Commit(s)

f8c98630785288cc1f1d0893503ef3b653a3cede

Fix

Authentication Bypass Using an Alternate Path or Channel

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-863

Related Identifiers

GHSA-MW7W-G3MG-XQM7

Affected Products

Openclaw