OpenClaw Can Reload Inactive Settings After Restart

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.1

OpenClaw Can Reload Inactive Settings After Restart

GHSA-3pm9-5j7m-59vc

Summary

An issue in OpenClaw's startup migration process can cause it to reload previously revoked settings from a file after a restart. This can potentially allow users to bypass security restrictions. To fix this, update to OpenClaw version 2026.3.31 or later.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config

Original description

## Summary
Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config

## Current Maintainer Triage
- Normalized severity: low
- Assessment: v2026.3.28 startup migration still treats empty-array settings as missing and can rehydrate revoked Tlon config from file state after restart.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `a4d72a83f01fedd35964c352e3473c7712a3511b` — 2026-03-31T14:57:03+01:00

OpenClaw thanks @smaeljaish771 for reporting.

ghsa CVSS4.0 2.1

Vulnerability type

CWE-436

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026