GHSA-h43v-27wg-5mf9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h43v-27wg-5mf9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h43v-27wg-5mf9/GHSA-h43v-27wg-5mf9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h43v-27wg-5mf9
- Aliases
-
- CVE-2026-41301
- Downstream
- Published
- 2026-04-07T18:14:39Z
- Modified
- 2026-05-05T16:07:11.080201Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Forged Nostr DMs could create pairing state before signature verification
- Details
-
Summary
Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection.
Impact
An unauthenticated remote sender could consume shared pairing capacity and trigger bounded relay/logging work on the Nostr channel. This issue did not grant message decryption, pairing approval, or broader authorization bypass.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.3.22, < 2026.3.31 - Patched versions:
>= 2026.3.31 - Latest published npm version:
2026.4.1
Fix Commit(s)
4ee742174f36b5445703e3b1ef2fbd6ae6700fa4— verify inbound DM signatures before pairing replies
Release Process Note
The fix shipped in OpenClaw
2026.3.31on March 31, 2026. The current published npm release2026.4.1from April 1, 2026 also contains the fix.Thanks @smaeljaish771 for reporting.
- Package:
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2026-04-07T18:14:39Z", "nvd_published_at": "2026-04-21T00:16:30Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9
- https://nvd.nist.gov/vuln/detail/CVE-2026-41301
- https://github.com/openclaw/openclaw/commit/4ee742174f36b5445703e3b1ef2fbd6ae6700fa4
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-forged-nostr-dm-pairing-state-creation-via-signature-verification-bypass
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw