GHSA-g374-mggx-p6xc

Summary

Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode

Current Maintainer Triage

• Normalized severity: high
• Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive on a real identity-bearing auth path; the complete fix is unreleased.

Affected Packages / Versions

• Package: openclaw (npm)
• Latest published npm version: 2026.3.31
• Vulnerable version range: <=2026.3.28
• Patched versions: >= 2026.3.31
• First stable tag containing the fix: v2026.3.31

Fix Commit(s)

• 8b88b927cb0747ad24d95b07d35682bf85dc5b0e — 2026-03-30T14:19:00+01:00

OpenClaw thanks @north-echo for reporting.