PT-2026-31363 — Incorrect Privilege Assignment in Npm Openclaw

PT-2026-31363 · Npm · Openclaw

Published

2026-03-29

Updated

2026-03-29

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

Gateway plugin subagent fallback deleteSession previously dispatched sessions.delete with a synthetic operator.admin runtime scope when no request-scoped client existed. Commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7 binds deletion to the caller scope instead of minting admin scope.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7.

Fix Commit(s)

b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7

Fix

Incorrect Privilege Assignment

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266CWE-648CWE-863

Related Identifiers

GHSA-H4JX-HJR3-FHGC

Affected Products

Openclaw