GHSA-pjvx-rx66-r3fg
MEDIUMOpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
/allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store.
Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account.
This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version checked:
2026.3.2 - Affected versions:
<= 2026.3.2 - Fixed on
main: March 7, 2026 in70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release:
2026.3.7
Details
The affected path was:
src/auto-reply/reply/commands-allowlist.ts:386-393resolvedaccountIdand read store state with itsrc/auto-reply/reply/commands-allowlist.ts:697-702andsrc/auto-reply/reply/commands-allowlist.ts:730-733wrote store state without passingaccountIdsrc/pairing/pairing-store.ts:231-234andsrc/pairing/pairing-store.ts:534-554still merged legacy unscoped allowlist entries into thedefaultaccount
The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through.
Impact
- Vulnerability class: improper authorization scoping / incorrect authorization
- Exploitation requires: an already-authorized sender who can run
/allowlistedits - Security effect: unintended authorization expansion from one channel account into
default
Fix Commit(s)
70da80bcb5574a10925469048d2ebb2abf882e73— scope/allowlist ... --storewrites by account and clean up legacy default-account removals
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | all versions | 2026.3.7 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.3.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-pjvx-rx66-r3fg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-pjvx-rx66-r3fg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-pjvx-rx66-r3fg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-pjvx-rx66-r3fg in your dependencies?
O3 detects GHSA-pjvx-rx66-r3fg across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.