PT-2026-35594 · Npm · Openclaw
Published
2026-04-17
·
Updated
2026-04-17
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Summary
Empty approver lists could grant explicit approval authorization.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.12 - Patched versions:
>= 2026.4.12
Impact
For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id.
Technical Details
The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders.
Fix
The issue was fixed in #65714. The first stable tag containing the fix is
v2026.4.12, and openclaw@2026.4.14 includes the fix.Fix Commit(s)
0a105c0900de701d2ee9f1abc96b017afbd0afdd- PR: #65714
Release Process Note
Users should upgrade to
openclaw 2026.4.12 or newer. The latest npm release, 2026.4.14, already includes the fix.Credits
Thanks to @anshumanbh for reporting this issue.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw