GHSA-553v-f69r-656j
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
상세
### Summary A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including `operator.admin`) before pairing approval, enabling privilege escalation.
### Impact Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired device identity.
### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `>= 2026.2.22 <= 2026.2.24` - Latest published npm at triage time: `2026.2.24` - Planned patched release: `2026.2.25`
### Remediation Require pairing for operator device-identity sessions authenticated with shared token/password auth (except existing control-ui trusted-proxy/control-ui bypass policy paths).
### Fix Commit(s) - `8d1481cb4a9d31bd617e52dc8c392c35689d9dea`
### Release Process Note `patched_versions` is pre-set to the release (`>= 2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.