PT-2026-35632 · Npm · Openclaw
Published
2026-04-17
·
Updated
2026-04-17
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
Delivery queue recovery could lose group tool-policy context for media replay.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.4.10 < 2026.4.14 - Patched versions:
>= 2026.4.14
Impact
Recovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery.
Technical Details
The fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks.
Fix
The issue was fixed in #66025. The first stable tag containing the fix is
v2026.4.14, and openclaw@2026.4.14 includes the fix.Fix Commit(s)
48aae82bbc19ba8b0741e61a08063eb0d1df464e- PR: #66025
Release Process Note
Users should upgrade to
openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw