PT-2026-30781 — Incorrect Privilege Assignment in Npm Openclaw

PT-2026-30781 · Npm · Openclaw

Published

2026-03-27

Updated

2026-03-27

CVSS v4.0

8.6

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Summary

Gateway Plugin HTTP auth: "gateway" Mints operator.admin Runtime Scope

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

Gateway-authenticated plugin HTTP routes previously created a runtime scope set that included operator.admin regardless of caller-granted scopes. Commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe keeps plugin HTTP runtime scopes least-privileged and preserves caller scope boundaries.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe.

Fix Commit(s)

ec2dbcff9afd8a52e00de054b506c91726d9fbbe

Fix

Incorrect Privilege Assignment

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266CWE-863

Related Identifiers

GHSA-QM2M-28PF-HGJW

Affected Products

Openclaw