GHSA-49cg-279w-m73x
OpenClaw: Empty approver lists could grant explicit approval authorization
상세
## Summary
Empty approver lists could grant explicit approval authorization.
## Affected Packages / Versions
- Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12`
## Impact
For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id.
## Technical Details
The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders.
## Fix
The issue was fixed in #65714. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix.
## Fix Commit(s)
- `0a105c0900de701d2ee9f1abc96b017afbd0afdd` - PR: #65714
## Release Process Note
Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix.
## Credits
Thanks to @anshumanbh for reporting this issue.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-43574 [ADVISORY]
- https://github.com/openclaw/openclaw/pull/65714 [WEB]
- https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists [WEB]