GHSA-9wqx-g2cw-vc7r

Suggest an improvement
Source
https://github.com/advisories/GHSA-9wqx-g2cw-vc7r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9wqx-g2cw-vc7r/GHSA-9wqx-g2cw-vc7r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9wqx-g2cw-vc7r
Aliases
  • CVE-2026-35647
Downstream
Published
2026-03-27T22:31:48Z
Modified
2026-04-10T17:21:40Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
Details

Summary

Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Matrix verification notices previously bypassed DM access checks and could reply to peers that were unpaired or otherwise outside the allowed DM policy. Commit 2383daf5c4a4e08d9553e0e949552ad755ef9ec2 gates verification notices on DM access before sending.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 2383daf5c4a4e08d9553e0e949552ad755ef9ec2.

Fix Commit(s)

  • 2383daf5c4a4e08d9553e0e949552ad755ef9ec2
Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T22:31:48Z",
    "cwe_ids": [
        "CWE-288",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2026.3.24

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9wqx-g2cw-vc7r/GHSA-9wqx-g2cw-vc7r.json"