GHSA-2x4x-cc5g-qmmg
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
상세
## Summary
The node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node.
## Impact
A lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node.
## Affected Component
`src/infra/node-pairing.ts, src/gateway/server-methods/nodes.ts`
## Fixed Versions
- Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix.
## Fix
Fixed by commit `4d7cc6bb4f` (`gateway: restrict node pairing approvals`).
OpenClaw thanks @AntAISecurityLab for reporting.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33577 [ADVISORY]
- https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34 [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve [WEB]