GHSA-mf69-r24q-ghhr: Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wwfp-w96m-c6x8. This link is maintained to preserve external references.
Original Description
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.
References
- github.com/advisories/GHSA-mf69-r24q-ghhr
- github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785
- github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8
- nvd.nist.gov/vuln/detail/CVE-2026-41346
- www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement
Code Behaviors & Features
Detect and mitigate GHSA-mf69-r24q-ghhr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →