GHSA-mf69-r24q-ghhr

Suggest an improvement
Source
https://github.com/advisories/GHSA-mf69-r24q-ghhr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mf69-r24q-ghhr/GHSA-mf69-r24q-ghhr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mf69-r24q-ghhr
Downstream
Withdrawn
2026-05-04T21:59:20Z
Published
2026-04-24T00:31:51Z
Modified
2026-05-05T16:08:35.427602Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wwfp-w96m-c6x8. This link is maintained to preserve external references.

Original Description

OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.

Database specific 
{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:59:20Z",
    "nvd_published_at": "2026-04-23T22:16:41Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
2026.2.26
Fixed
2026.3.31

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mf69-r24q-ghhr/GHSA-mf69-r24q-ghhr.json"