GHSA-r77c-2cmr-7p47
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r77c-2cmr-7p47
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r77c-2cmr-7p47/GHSA-r77c-2cmr-7p47.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r77c-2cmr-7p47
- Aliases
-
- CVE-2026-43583
- Downstream
- Published
- 2026-04-17T21:50:55Z
- Modified
- 2026-05-12T17:16:26.779369Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay
- Details
-
Summary
Delivery queue recovery could lose group tool-policy context for media replay.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.4.10 < 2026.4.14 - Patched versions:
>= 2026.4.14
Impact
Recovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery.
Technical Details
The fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks.
Fix
The issue was fixed in #66025. The first stable tag containing the fix is
v2026.4.14, andopenclaw@2026.4.14includes the fix.Fix Commit(s)
48aae82bbc19ba8b0741e61a08063eb0d1df464e- PR: #66025
Release Process Note
Users should upgrade to
openclaw2026.4.14 or newer. The latest npm release,2026.4.14, already includes the fix.Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
- Package:
- Database specific
{ "cwe_ids": [ "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2026-04-17T21:50:55Z", "nvd_published_at": null, "severity": "LOW" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r77c-2cmr-7p47
- https://nvd.nist.gov/vuln/detail/CVE-2026-43583
- https://github.com/openclaw/openclaw/pull/66025
- https://github.com/openclaw/openclaw/commit/48aae82bbc19ba8b0741e61a08063eb0d1df464e
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-loss-of-group-tool-policy-context-in-delivery-queue-recovery
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw