Cradicle Explorer
ai-agents-security_AI-Infra-Guard
/ data / vuln_en / openclaw / GHSA-f3h5-h452-vp3j.yaml
GHSA-f3h5-h452-vp3j.yaml
 1  info:
 2    name: OpenClaw
 3    cve: GHSA-f3h5-h452-vp3j
 4    summary: OpenClaw Nostr profile mutation routes allowed operator.write config persistence
 5    details: "Summary\r\n\r\nNostr profile mutation routes allowed operator.write config persistence.\r\n\r\nAffected Packages\
 6      \ / Versions\r\n\r\n- Package: openclaw\r\n- Ecosystem: npm\r\n- Affected versions: < 2026.4.10\r\n- Patched versions:\
 7      \ >= 2026.4.10\r\n\r\nImpact\r\n\r\nNostr plugin HTTP profile routes could persist profile config through a path that\
 8      \ did not require admin authority.\r\n\r\nTechnical Details\r\n\r\nThe fix requires operator.admin scope for Nostr profile\
 9      \ mutation routes.\r\n\r\nFix\r\n\r\nThe issue was fixed in 63553. The first stable tag containing the fix is v2026.4.10,\
10      \ and openclaw@2026.4.14 includes the fix.\r\n\r\n\nCredits\r\n\r\nThanks to @zpbrent and @zsxsoft, with sponsorship from\
11      \ @KeenSecurityLab and @qclawer for reporting this issue."
12    cvss: ''
13    severity: MEDIUM
14    security_advise: 'Upgrade openclaw to >= 2026.4.10 or later. The issue was fixed in #63553. The first stable tag containing
15      the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix.'
16    references:
17    - https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j
18  rule: version < "2026.4.10"
19  references:
20  - https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j