CVE
GHSA-9hjh-fr4f-gxc4
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
Summary
Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Backend-labeled reconnects could previously self-request broader scopes and bypass pairing, allowing non-admin operators to reconnect as operator.admin. Commit d3d8e316bd819d3c7e34253aeb7eccb2510f5f48 removes the backend self-pairing skip and requires pairing when requested scopes exceed the approved baseline.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit d3d8e316bd819d3c7e34253aeb7eccb2510f5f48.
Fix Commit(s)
d3d8e316bd819d3c7e34253aeb7eccb2510f5f48
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4, https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48, https://github.com/openclaw/openclaw
Basic Information
Ecosystem
