PT-2026-39431 · Npm · Openclaw

Published

2026-04-29

·

Updated

2026-04-29

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Impact

OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true:
  • a channel plugin declared commands.enforceOwnerForCommands: true;
  • the channel accepted wildcard inbound senders with allowFrom: ["*"];
  • no explicit commands.ownerAllowFrom was configured.
In that state, src/auto-reply/command-auth.ts reused the channel inbound wildcard as part of the command-owner decision. A sender who was not the owner could therefore pass the owner-command gate for commands such as /send, /config, or /debug on the affected channel.
The issue is limited to the command-owner authorization axis. It does not by itself grant owner-only tool access, host/sandbox access, or gateway administrator scope.

Affected Packages / Versions

  • Package: openclaw on npm
  • Affected versions: <= 2026.4.20
  • Patched version: 2026.4.21
The latest public release, 2026.4.21, contains the fix.

Patches

The fix requires a concrete owner identity or internal operator-admin scope when a plugin enforces owner-only commands. Wildcard channel allowFrom no longer implies wildcard command ownership.
Fix commits:
  • 2aa93d44a1b2c7058c371f261fda2b5d4de4a882 on main
  • 995febb7b1e811ff6a1df5b18c22de94103f4c9f in the 2026.4.21 release line

Workarounds

Upgrade to openclaw@2026.4.21 or later. Before upgrading, avoid wildcard/open-DM sender policy on owner-enforced channels, or configure commands.ownerAllowFrom to the intended owner identities.

Credits

OpenClaw thanks @zsxsoft for reporting.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

GHSA-C28G-VH7M-FM7V

Affected Products

Openclaw