GHSA-F6H3-846H-2R8W

Vulnerability from github – Published: 2026-03-04 18:58 – Updated: 2026-03-04 18:58
VLAI
Summary
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
Details

Summary

In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit.

Context

OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version at triage: 2026.2.21-2
  • Affected versions: <= 2026.2.21-2
  • Planned patched version (pre-set for publish-ready advisory): 2026.2.22

Details

Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To.

Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:).

Fix Commit(s)

  • 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2

Release Process Note

The advisory patched_versions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits.

OpenClaw thanks @jiseoung for reporting.

Severity
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T18:58:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn certain elevated-mode configurations, `tools.elevated.allowFrom` accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit.\n\n### Context\nOpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage: `2026.2.21-2`\n- Affected versions: `\u003c= 2026.2.21-2`\n- Planned patched version (pre-set for publish-ready advisory): `2026.2.22`\n\n### Details\nElevated sender authorization now matches sender-scoped identity values only by default (`SenderId`, `From`, `SenderE164`) and no longer considers recipient routing fields such as `ctx.To`.\n\nMutable sender metadata (`SenderName`, `SenderUsername`, `SenderTag`) now requires explicit allowlist prefixes (`name:`, `username:`, `tag:`). Explicit identity prefixes are also supported (`id:`, `from:`, `e164:`).\n\n### Fix Commit(s)\n- `6817c0ec7b4fa830123d4f5c340f075a4bd04ee2`\n\n### Release Process Note\nThe advisory `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm `openclaw@2026.2.22` is published, this advisory can be published without additional content edits.\n\nOpenClaw thanks @jiseoung for reporting.",
  "id": "GHSA-f6h3-846h-2r8w",
  "modified": "2026-03-04T18:58:07Z",
  "published": "2026-03-04T18:58:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/6817c0ec7b4fa830123d4f5c340f075a4bd04ee2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.