GHSA-qm2m-28pf-hgjw (CVE-2026-35669)

Details

Summary

Gateway Plugin HTTP auth: "gateway" Mints operator.admin Runtime Scope

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

Gateway-authenticated plugin HTTP routes previously created a runtime scope set that included operator.admin regardless of caller-granted scopes. Commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe keeps plugin HTTP runtime scopes least-privileged and preserves caller scope boundaries.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe.

Fix Commit(s)

ec2dbcff9afd8a52e00de054b506c91726d9fbbe

Affected Packages

openclaw

npm

References

ADVISORY

https://github.com/advisories/GHSA-qm2m-28pf-hgjw

PACKAGE

https://github.com/openclaw/openclaw

WEB

https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe

WEB

https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw