4 matches found
Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c28g-vh7m-fm7v. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner...
CVE-2026-44991 OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands...
NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.20...
GHSA-C28G-VH7M-FM7V OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
Impact OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared commands.enforceOwnerForCommands: true; - the channel accepted wildcard inbound senders with allowFrom: ""; ...