Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
OpenClaw: Unintended Access to Default Account
GHSA-pjvx-rx66-r3fg
Summary
A bug in OpenClaw's allowlist feature allows an authorized user to silently grant access to the default account, potentially leading to unauthorized actions. This issue affects versions of OpenClaw up to 2026.3.2. To fix this, update to version 2026.3.7 or later.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.2 | 2026.3.7 |
Original title
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping
Original description
### Summary
`/allowlist ... --store` resolved the selected channel `accountId` for reads, but store writes still dropped that `accountId` and wrote into the legacy unscoped pairing allowlist store.
Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the `default` account.
This is a real cross-account sender-authorization scoping bug. Severity is set to **medium** because exploitation requires an already-authorized user who can run `/allowlist` edits.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version checked: `2026.3.2`
- Affected versions: `<= 2026.3.2`
- Fixed on `main`: March 7, 2026 in `70da80bcb5574a10925469048d2ebb2abf882e73`
- Patched release: `2026.3.7`
### Details
The affected path was:
- `src/auto-reply/reply/commands-allowlist.ts:386-393` resolved `accountId` and read store state with it
- `src/auto-reply/reply/commands-allowlist.ts:697-702` and `src/auto-reply/reply/commands-allowlist.ts:730-733` wrote store state without passing `accountId`
- `src/pairing/pairing-store.ts:231-234` and `src/pairing/pairing-store.ts:534-554` still merged legacy unscoped allowlist entries into the `default` account
The fix scopes `/allowlist ... --store` writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through.
### Impact
- Vulnerability class: improper authorization scoping / incorrect authorization
- Exploitation requires: an already-authorized sender who can run `/allowlist` edits
- Security effect: unintended authorization expansion from one channel account into `default`
### Fix Commit(s)
- `70da80bcb5574a10925469048d2ebb2abf882e73` — scope `/allowlist ... --store` writes by account and clean up legacy default-account removals
### Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
`/allowlist ... --store` resolved the selected channel `accountId` for reads, but store writes still dropped that `accountId` and wrote into the legacy unscoped pairing allowlist store.
Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the `default` account.
This is a real cross-account sender-authorization scoping bug. Severity is set to **medium** because exploitation requires an already-authorized user who can run `/allowlist` edits.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version checked: `2026.3.2`
- Affected versions: `<= 2026.3.2`
- Fixed on `main`: March 7, 2026 in `70da80bcb5574a10925469048d2ebb2abf882e73`
- Patched release: `2026.3.7`
### Details
The affected path was:
- `src/auto-reply/reply/commands-allowlist.ts:386-393` resolved `accountId` and read store state with it
- `src/auto-reply/reply/commands-allowlist.ts:697-702` and `src/auto-reply/reply/commands-allowlist.ts:730-733` wrote store state without passing `accountId`
- `src/pairing/pairing-store.ts:231-234` and `src/pairing/pairing-store.ts:534-554` still merged legacy unscoped allowlist entries into the `default` account
The fix scopes `/allowlist ... --store` writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through.
### Impact
- Vulnerability class: improper authorization scoping / incorrect authorization
- Exploitation requires: an already-authorized sender who can run `/allowlist` edits
- Security effect: unintended authorization expansion from one channel account into `default`
### Fix Commit(s)
- `70da80bcb5574a10925469048d2ebb2abf882e73` — scope `/allowlist ... --store` writes by account and clean up legacy default-account removals
### Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
5.4
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026