GHSA-8j2w-6fmm-m587

Suggest an improvement
Source
https://github.com/advisories/GHSA-8j2w-6fmm-m587
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8j2w-6fmm-m587/GHSA-8j2w-6fmm-m587.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8j2w-6fmm-m587
Aliases
  • CVE-2026-32031
Downstream
Published
2026-03-12T14:22:04Z
Modified
2026-03-25T19:48:31.781653Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
Details

Summary

Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.

Details

On affected versions, server-http only applies gateway auth when raw requestPath matches exactly: - /api/channels - /api/channels/*

If a plugin handler canonicalizes path input (for example decodeURIComponent(pathname).toLowerCase()), requests like: - /API/channels/nostr/default/profile - /api/channels%2Fnostr%2Fdefault%2Fprofile can be interpreted as /api/channels/* by the plugin, while the gateway auth guard is skipped.

Impact

Authentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.

CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel) CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (Base 5.3, Moderate)

Database specific 
{
    "cwe_ids": [
        "CWE-288"
    ],
    "github_reviewed_at": "2026-03-12T14:22:04Z",
    "nvd_published_at": "2026-03-19T22:16:38Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.2.26

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8j2w-6fmm-m587/GHSA-8j2w-6fmm-m587.json"
last_known_affected_version_range 
"<= 2026.2.25"