GHSA-2ch6-x3g4-7759
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate.
When commands.allowFrom contained conversation-like identifiers (for example Discord channel:<id> or WhatsApp group JIDs), command/directive authorization could be granted to participants in that conversation instead of only the intended sender identity.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.22-2 - Patched version:
2026.2.23(released)
Details
Root cause: resolveSenderCandidates() in src/auto-reply/command-auth.ts always included ctx.From in candidate evaluation used by commands.allowFrom authorization checks.
ctx.From is sender-like in some direct-message contexts, but conversation-like in channel/group/thread contexts. This mixed principal handling allowed conversation identifiers to satisfy sender-only authorization.
Impact
In affected versions, command/directive authorization could become broader than intended when operators configured commands.allowFrom with conversation identifiers, allowing unintended users in that conversation to run command-only/directive-only flows.
Fix
Main branch now treats commands.allowFrom as sender-only:
ctx.Fromis no longer included as a general sender candidate.ctx.Fromis only used as fallback when sender fields are absent and the value is not conversation-shaped.- Regression tests were added for conversation-id denial and direct-message fallback preservation.
Fix Commit(s)
08e2aa44e78a9c946d97bea62304e6f533b8fa8e
Release Process Note
patched_versions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23.
OpenClaw thanks @jiseoung for reporting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | all versions | 2026.2.23 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.2.23 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-2ch6-x3g4-7759 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-2ch6-x3g4-7759 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-2ch6-x3g4-7759. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-2ch6-x3g4-7759 in your dependencies?
O3 detects GHSA-2ch6-x3g4-7759 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.