Listen to this Post
The vulnerability stems from inconsistent account scoping in the `/allowlist … –store` command. When a user with a selected channel accountId runs this command, the system correctly resolves the accountId for read operations . However, during the subsequent write operation to the pairing allowlist store, the code erroneously drops the specific accountId and writes the entry into a legacy, unscoped store . The problem is exacerbated because read operations for the default account still merge these legacy unscoped entries. Consequently, a sender authorization intended for a specific channel account silently bleeds over, authorizing the same sender on the default account as well . This creates a cross-account authorization expansion. The vulnerable code paths are located in `src/auto-reply/reply/commands-allowlist.ts` for the read/write logic and `src/pairing/pairing-store.ts` for the legacy merge . The fix, implemented in commit 70da80bcb5574a10925469048d2ebb2abf882e73, properly scopes the writes to the resolved account and cleans up legacy entries for the default account to prevent this authorization bleed-through .
Platform: openclaw npm
Version: <=2026.3.2
Vulnerability: Cross-account auth
Severity: Medium
date: March 8, 2026
Prediction: March 8, 2026
What Undercode Say:
Analytics:
- Package: `openclaw` on npm
- Latest Affected Version: 2026.3.2
- Patched Version: 2026.3.7
- Fix Commit: `70da80bcb5574a10925469048d2ebb2abf882e73`
– Reported By: @tdjackey
Bash Commands & Code Analysis:
Check your current installed version of openclaw npm list openclaw Update to the patched version to fix the issue npm install [email protected] Verify the fix commit is present in the patched release npm view [email protected] dist.tarball | xargs curl -s | tar -tz | grep commands-allowlist.ts Examine the vulnerable code section (if you have an unpatched version) View lines 386-393 of the commands-allowlist.ts file to see the read logic sed -n '386,393p' node_modules/openclaw/src/auto-reply/reply/commands-allowlist.ts View lines 697-702 and 730-733 to see the write logic that dropped the accountId sed -n '697,702p' node_modules/openclaw/src/auto-reply/reply/commands-allowlist.ts sed -n '730,733p' node_modules/openclaw/src/auto-reply/reply/commands-allowlist.ts
How Exploit:
An attacker must first be an already-authorized sender with the ability to execute `/allowlist` edits on a channel . By adding an entry intended for a specific channel account, the system’s flawed logic writes this authorization to a legacy unscoped store . Because the default account reads still merge these legacy entries, the sender becomes authorized on the default account without any further action, effectively expanding their access across accounts .
Protection from this CVE:
- Immediate: Upgrade the `openclaw` npm package to version `2026.3.7` or later .
- Verification: After updating, run `npm list openclaw` to confirm the version is
2026.3.7. - Restart: Restart the OpenClaw service to ensure the patched code is fully loaded.
Impact:
- Vulnerability Class: Improper Authorization Scoping / Incorrect Authorization .
- Security Effect: Unintended authorization expansion from a specific channel account to the default account .
- Privilege Escalation: A sender authorized for one channel may gain unauthorized access to interactions and data associated with the default account.
- Attack Vector: Requires an already-authorized user with `/allowlist` edit permissions, limiting the pool of potential attackers but making the impact severe for affected multi-account deployments .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

