GHSA-553v-f69r-656j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-553v-f69r-656j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-553v-f69r-656j/GHSA-553v-f69r-656j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-553v-f69r-656j
- Downstream
- Published
- 2026-03-03T21:39:10Z
- Modified
- 2026-03-04T15:11:33.856176Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
- Details
-
Summary
A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including
operator.admin) before pairing approval, enabling privilege escalation.Impact
Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired device identity.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
>= 2026.2.22 <= 2026.2.24 - Latest published npm at triage time:
2026.2.24 - Planned patched release:
2026.2.25
Remediation
Require pairing for operator device-identity sessions authenticated with shared token/password auth (except existing control-ui trusted-proxy/control-ui bypass policy paths).
Fix Commit(s)
8d1481cb4a9d31bd617e52dc8c392c35689d9dea
Release Process Note
patched_versionsis pre-set to the release (>= 2026.2.25). Advisory published with npm release2026.2.25.OpenClaw thanks @tdjackey for reporting.
- Package:
- Database specific
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-03-03T21:39:10Z", "cwe_ids": [ "CWE-863" ] }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw