OpenClaw (npm), Improper Authorization Scoping, CVE-202X-XXXXX (Medium)

Listen to this Post

The vulnerability stems from inconsistent account scoping in the `/allowlist … –store` command. When a user with a selected channel accountId runs this command, the system correctly resolves the accountId for read operations . However, during the subsequent write operation to the pairing allowlist store, the code erroneously drops the specific accountId and writes the entry into a legacy, unscoped store . The problem is exacerbated because read operations for the default account still merge these legacy unscoped entries. Consequently, a sender authorization intended for a specific channel account silently bleeds over, authorizing the same sender on the default account as well . This creates a cross-account authorization expansion. The vulnerable code paths are located in `src/auto-reply/reply/commands-allowlist.ts` for the read/write logic and `src/pairing/pairing-store.ts` for the legacy merge . The fix, implemented in commit 70da80bcb5574a10925469048d2ebb2abf882e73, properly scopes the writes to the resolved account and cleans up legacy entries for the default account to prevent this authorization bleed-through .
Platform: openclaw npm
Version: <=2026.3.2
Vulnerability: Cross-account auth
Severity: Medium
date: March 8, 2026

Prediction: March 8, 2026

What Undercode Say:

Analytics:

  • Package: `openclaw` on npm
  • Latest Affected Version: 2026.3.2
  • Patched Version: 2026.3.7
  • Fix Commit: `70da80bcb5574a10925469048d2ebb2abf882e73`
    – Reported By: @tdjackey

Bash Commands & Code Analysis:

Check your current installed version of openclaw
npm list openclaw
Update to the patched version to fix the issue
npm install [email protected]
Verify the fix commit is present in the patched release
npm view [email protected] dist.tarball | xargs curl -s | tar -tz | grep commands-allowlist.ts
Examine the vulnerable code section (if you have an unpatched version)
View lines 386-393 of the commands-allowlist.ts file to see the read logic
sed -n '386,393p' node_modules/openclaw/src/auto-reply/reply/commands-allowlist.ts
View lines 697-702 and 730-733 to see the write logic that dropped the accountId
sed -n '697,702p' node_modules/openclaw/src/auto-reply/reply/commands-allowlist.ts
sed -n '730,733p' node_modules/openclaw/src/auto-reply/reply/commands-allowlist.ts

How Exploit:

An attacker must first be an already-authorized sender with the ability to execute `/allowlist` edits on a channel . By adding an entry intended for a specific channel account, the system’s flawed logic writes this authorization to a legacy unscoped store . Because the default account reads still merge these legacy entries, the sender becomes authorized on the default account without any further action, effectively expanding their access across accounts .

Protection from this CVE:

  • Immediate: Upgrade the `openclaw` npm package to version `2026.3.7` or later .
  • Verification: After updating, run `npm list openclaw` to confirm the version is 2026.3.7.
  • Restart: Restart the OpenClaw service to ensure the patched code is fully loaded.

Impact:

  • Vulnerability Class: Improper Authorization Scoping / Incorrect Authorization .
  • Security Effect: Unintended authorization expansion from a specific channel account to the default account .
  • Privilege Escalation: A sender authorized for one channel may gain unauthorized access to interactions and data associated with the default account.
  • Attack Vector: Requires an already-authorized user with `/allowlist` edit permissions, limiting the pool of potential attackers but making the impact severe for affected multi-account deployments .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top