GHSA-wwfp-w96m-c6x8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wwfp-w96m-c6x8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wwfp-w96m-c6x8/GHSA-wwfp-w96m-c6x8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wwfp-w96m-c6x8
- Downstream
- Published
- 2026-04-07T18:14:44Z
- Modified
- 2026-04-07T18:54:14.901917Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
- Details
-
Summary
Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.
Impact
This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.26, < 2026.3.31 - Patched versions:
>= 2026.3.31 - Latest published npm version:
2026.4.1
Fix Commit(s)
9bc1f896c8cd325dd4761681e9bdb8c425f69785— scope pending request caps per account
Release Process Note
The fix shipped in OpenClaw
2026.3.31on March 31, 2026. The current published npm release2026.4.1from April 1, 2026 also contains the fix.Thanks @smaeljaish771 for reporting.
- Package:
- Database specific
{ "cwe_ids": [], "github_reviewed_at": "2026-04-07T18:14:44Z", "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw