GHSA-rv2q-f2h5-6xmg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rv2q-f2h5-6xmg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rv2q-f2h5-6xmg/GHSA-rv2q-f2h5-6xmg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rv2q-f2h5-6xmg
- Aliases
- Downstream
- Published
- 2026-03-03T23:32:12Z
- Modified
- 2026-03-20T21:17:40.059969Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
- Details
-
Summary
A client authenticated with a shared gateway token could connect as
role=nodewithout device identity/pairing, then callnode.eventto triggeragent.requestandvoice.transcriptflows.Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.21-2 - Patched version:
2026.2.22(planned next release)
Details
The WebSocket connect path allowed device-less bypass whenever shared auth succeeded. That bypass did not restrict role, so a client could claim
role=nodewith no device identity and still pass handshake auth. Becausenode.eventis node-role allowed, this enabled unauthorized node event injection into agent-trigger flows.Impact
Unauthorized
node.eventinjection can trigger agent execution and voice transcript flows for clients that only hold the shared gateway token, without node device pairing.Remediation
Upgrade to
2026.2.22(or newer) once published. The fix requires device identity forrole=nodeconnects, even when shared-token auth succeeds.Fix Commit(s)
- ddcb2d79b17bf2a42c5037d8aeff1537a12b931e
Release Process Note
patched_versionsis pre-set to the planned next release so once npm release2026.2.22is out, advisory publish is a single step.OpenClaw thanks @tdjackey for reporting.
- Package: npm
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-03T23:32:12Z", "cwe_ids": [ "CWE-863" ], "severity": "MODERATE", "nvd_published_at": "2026-03-19T22:16:32Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg
- https://nvd.nist.gov/vuln/detail/CVE-2026-32001
- https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-node-role-device-identity-bypass-via-websocket-authentication
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw