GHSA-gp3q-wpq4-5c5h

Source

https://github.com/advisories/GHSA-gp3q-wpq4-5c5h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gp3q-wpq4-5c5h/GHSA-gp3q-wpq4-5c5h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gp3q-wpq4-5c5h

Downstream

MINI-39c7-gpjf-f2rm

Published

2026-03-12T14:21:45Z

Modified

2026-03-14T02:38:55.408130Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

OpenClaw: LINE group allowlist scope mismatch with DM pairing-store entries

Details

Summary

In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists.

Affected Packages / Versions

Package: openclaw (npm)
Latest published version at triage/update time: 2026.2.25
Affected: <= 2026.2.25
Patched: >= 2026.2.26 (planned next release)

Impact

This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode.

Technical Details

Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks.

Fixes on main: - isolate group allowlist composition from pairing-store entries - centralize shared DM/group allowlist composition to preserve DM-only pairing behavior - add regression coverage for LINE and Mattermost policy paths

Fix Commit(s)

8bdda7a651c21e98faccdbbd73081e79cffe8be0
892a9c24b0f6118729ab5b5f5499b1a7e792dd15 (follow-up refactor hardening)

Release Process Note

patched_versions is pre-set to >= 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published directly without additional version-field edits.

Thanks @tdjackey for reporting.

Database specific

{
    "github_reviewed_at": "2026-03-12T14:21:45Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ],
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.2.26

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gp3q-wpq4-5c5h/GHSA-gp3q-wpq4-5c5h.json"

last_known_affected_version_range

"<= 2026.2.25"