PT-2026-33556 · Npm · Openclaw
Published
2026-04-07
·
Updated
2026-04-07
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
Summary
Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check.
Impact
A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution.
Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.1
- Patched versions: >= 2026.4.2
- Latest published npm version: 2026.4.1
Fix Commit(s)
49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs
Release Process Note
The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @nexrin for reporting.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw